Literal blocking of IP addresses can be done at the user group level by selecting the Access Denied option, adding an IP address or range of IP addresses to the group policy, then adding users to that group. Any user authentication transaction originating from an IP address from a user that is a member of that group will fail 2-factor authentication, including IA and Remembered Device transactions. This is a hard block that cannot be bypassed for any users of that group. (See more: VIP Manager Group Policy Settings).

VIP Intelligent Authentication (IA) does block (DENY) the authentication transaction. If an IP address or range of IP addresses is uploaded to the Blocked IP Addresses list, any user authentication transaction originating from an IP in the list will always be challenged for 2-factor authentication and will not be remembered. 

The Accepted IP addresses list will allow any user authentication transaction originating from an IP in the list to skip 2-factor authentication and not be challenged for 2-factor authentication. 

IA policy settings and help bubble content screenshot:

VIP Manager User Group Policy screenshot: