The question was how to block certain IP addresses from accessing an NT server. I thought this was an excellent suggestion.
If you want a solution for the NT box itself use RRAS (formerly steelhead)and the RRAS-fix to setup the routing software on your box. Uncheck the "enable IP forwarding" from the routing tab in the network control panel.
Upon reboot you may start the RRAS service and enter Incoming and Outgoing filters that are local to the NT box using the RRAS admin tool. I have found the new RRAS very useful in this respect. The old IP security settings were not as robust or as functional as the new RRAS software. RRAS will log certain router type events to a log file but I have not found out if/where RRAS writes rejected packets, anyone........
Backup one step