Using IIS7, how do I direct internal private network IP's addresses to my web site while I direct external IP addresses to a "site under maintenance" page?

So far on IIS7 I've found the section in IIS named "IPv4 Address and Domain Restrictions" and I can add the 3 internal ranges to that as an allow range. That seems easy. Now how do I direct all other traffic to a static page such as app_offline.html that I have created. (I'm not actually going to use app_offline.html because that will obviously take the app offline for internal addresses as well.)

You can use URL Rewrite (http://www.iis.net/download/URLRewrite) for that. Then you can drop a web.config with the contents like:

<configuration>
  ...
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="External IP" stopProcessing="true">
          <match url="site-under-construction\.htm" negate="true" />
          <conditions>
            <add input="{REMOTE_ADDR}" pattern="192\.168\.\d+\.\d+" ignoreCase="false" negate="true" />
            <add input="{REMOTE_ADDR}" pattern="::1" ignoreCase="false" negate="true" />
            <add input="{REMOTE_ADDR}" pattern="127\.0\.0\.1" ignoreCase="false" negate="true" />
          </conditions>
          <action type="Redirect" url="/site-under-construction.htm" redirectType="Found" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
  ...
</configuration>

What it basically does is to only apply this rule if the content is not already the "site-under-construction" page (to prevent infinite redirects), and only apply this if the IP-address is not coming from 192.168.XXX.XXX (and is not localhost).

Otherwise it will let them come through to whatever page they requested.

Note that this should not be use as a security mechanism since Remote Addr could be spoofed, but sounds like for your scenario it should be fine.