Windows groups, VPN groups, and SecureACS

I've run into a problem which I'm trying to find a solution to at work.

We have a Cisco VPN 3030 concentrator that administrators will VPN into
using Cisco's VPN client in order to do management remotely (there will
be quite a few admins, so for manageability purposes I do not want to
create them local accounts on the concentrator). The 3030 will
authenticate against a SecureACS server which is in a Windows Active
Directory domain.

[ For the sake of discussion, assume the Cisco products are all running
the latest software ]

The admins will belong to certain Windows groups (in Active Directory)
to designate the machine-spec. areas they are responsible for: Windows
servers, UNIX servers, mainframes, database servers, network devices.
The goal is to restrict access by those users, based on the group they
are in, to the machines they are to administer.

Thus,

1. is there a way to tie a VPN group [in the 3030] to a Windows group in
AD through Secure ACS?

2. can you tie access control lists to a Windows group in Secure ACS?

Someone on my team suggested tieing the Windows group (and, in turn, the
VPN group) to an IP address pool for that group on the VPN concentrator,
and then using the firewalls that the admins have to go through filter
access to the servers/devices based on IP address range. The issue I
have with that is it is still not user or group based.

Another question: can you set up IP address pools for a VPN
concentrator on an ACS server rather than on the VPN concentrator alone?

--john

PS: Please send all responses to this group, not to me directly.