I thought about this a little bit and while your use case makes sense, I don’t think it’s implementable (easily? see below) via repositories. The problem is that blocked (remote) blocks outbound connections from the blocked repository. What I think you want is for outbound connections to be blocked from the remote repository which isn’t a setting. You can probably easily see why, since for example, we couldn’t block Central from giving things out, we can just block a proxy from getting things from Central.
As far as I can think, proxies would be the same setup on two servers vs one so I don’t think this helps you.
Multiple servers did make me reflect that import/export (https://issues.sonatype.org/browse/NEXUS-11468) might help you but it’s not implemented yet. With that feature, theoretically you could export from one server to another. However, this might not be enough considering the lag time in between.
Similar idea (no need to wait but lag time) between copying the work directory and blobstore from server to server (to have it not be corrupt you’d need the secure server to be shutdown which means outage time for both), essentially restoring from backup. This actually may be fesiable assuming you already have outages for backups tho, now that I type it up, something to consider.
A possibly less severe (or lengthy?) outage would be to manually make the local (not remote) proxy offline while the security people ran their checks but it involves manual configuration. I am unsure in this scenario what happens if the security people find failures either. I guess your description as far as I can tell doesn’t account for that (not going to guess).
If you’re willing to go manual, you could transfer the cleared components to a hosted repository and just not give any access to the outside to the insecure group. Currently however there is no means in NXRM to transfer items from place to place. As you analyzed that is basically what proxies are for, so you’d be doing it this way as a workaround to a feature. So you’d need to download the cleared components and upload them manually.
I also considered asking what NXRM version you are on. If NXRM2, https://help.sonatype.com/display/NXRM2/Procurement+Suite, sounds similar to what you might want. However, note that’s a professional (paid) feature. Nothing has been implemented for NXRM3 yet but I assume if/when done that’ll also be paid.
It might sound like I’m trying to sell you something, but I think the complexity of the scenario is just beyond the OSS solution. If you do go paid to see if some of these things will work for you, our Customer Success team may also have more ideas. I suggest they’ll recommend the Lifecycle product that I mentioned previously though.
Sorry not terribly helpful, maybe someone else will have ideas.