You can check the IP address of the client computer and enable or disable pages based on that.
Look at $_SERVER['REMOTE_ADDR']
. If it's an address on your Intranet, enable or disable the page as appropriate. Similarly, you can enable or disable pages for Extranet visitors.
You will still need to authenticate your visitors. There's no specific need for an SSL certificate, but it's the only reliable way to guarantee the security of password exchanges.