I always assumed...
It better to lock access to everyone bar the people you can see and slowly open back access to those you can trust and/or screams loudly in the event of breach?
Users tend to be more understanding when you explain why and that it's not permanent so long as you have legitimate need to access a system.
Or maybe that's just me.. (coming from someone who built a firewall rule that managed to block most of China from seeing my server at the time.). That was a fun one to untangle.