I would say: It depends on what exactly you want to achieve...
If you want the Gateway to only contact specific IOCs - that's what Paul pointed out. Configure the Gateway (client side) to not broadcast name resolution requests and send them to the specific IOCs only.
If you want specific IOCs to only be contacted by the Gateway, there are multiple options:
ACFs: Limit read or write (or both) access to the Gateway user on the Gateway host. You played with that.
Move ports: Configure the IOCs to use a different port on their CA server and the Gateway to use that port on the client side. This will make the whole setup "invisible" to normal clients that don't know the special port number, but it doesn't provide access limitations.
Firewall: Configure the IOC host to only allow incoming CA name resolution traffic from the Gateway host.
Cheers,
~Ralph