The easiest, and probably the most straight forward method would be to go into the Internet Information services (IIS) Manager, right click on your website and choose properties. Once in here, go to the Directory Security tab and click Edit for "IP address and domain name restrictions". If there are only a handful of computers you wish to allow access (and block everyone else), change the option to "Denied Access" for the Default and then use the Add button put in exceptions on a single IP, range of IPs, or even by the Domain name (this requires a valid rDNS of the client's domain). This will allow your site to remain upon the internet and still control the availability of the content.
Digital certificates are more for a server to verify to a client who it is, rather than the other way around.
If you wanted to restrict traffic on a more global scale with more control, you may want to consider adjusting your webserver's IPSec policies (found in the Local Security Policy administrative tool). The process is a lot more in depth, but you can view a pretty in depth article on Microsoft's TechNet on how to set it up here: http://technet.microsoft.com/en-us/library/bb742429.aspx
As far as limiting access through a VPN, you can do this by either of the two methods above. Since VPN users are going to be given a defined range of IPs when they connect, you can set them as an exception rule pretty easily.
All postings are provided "AS IS" with no warranties, and confer no rights.
Nathan S., MCP
Enterhost Support Team
www.enterhost.com