I would like to point out that Exchange Web Services allows EWS clients to retrieve mail although Outlook Anywhere is disabled.
A customer of mine was not comfortable with Outlook Anywhere as an un-managed computer could be used to retrieve mail. So they wanted to delay the deployment of Outlook Anywhere until proper IPsec policies where in place. However we decided to publish EWS to allow Lync to retrieve Free/busy information for remote workers. To our surprise we discovered that Outlook mail was able to access his mailbox on Exchange 2010 although Outlook Anywhere was disabled.
Now there are a number of measurements you can take to prevent access although allowing EWS to be published externally. One option is to set the access to EWS by the mailbox features.
The can be done by using the Set-Casmailbox for the users. This is an "per user" approach in which you can allow some users and disallow some others.
You can also set it on the organizational level in which you allow or disallow it for the complete environment.
This is done via the Set-OrganizationConfig.
However both settings do not consider external and internal access. This means if you disable the setting then those client will also not be able to connect to EWS from a corporate or trusted network.