Hey
Unfortunately it’s pretty difficult to achieve with the current ACL implementation to be honest, due to missing things and a couple of bugs.
Personally used a custom SQLFilter policy to do it myself, because it had to be dynamic. If you can accept the restrictions being hardcoded (site paths and roles), then you can more easily achieve it. However due to https://jira.neos.io/browse/NEOS-1371 it’s impossible only to apply restrictions when logged in, or at least I didn’t find a way.
It would make sense to add an issue to https://jira.neos.io/browse/NEOS-177
Maybe @bwaidelich or @andi know more.