You can't precisely restrict someone from a portal as the portal is essentially a theme record with the header and footer. All pages are available in all portals (excluding pages with page route maps) or using the $sp.do ui page. For obvious reasons any security shouldn't be implemented on the client side.

If you look at a fresh instance with the explicit roles plugin and esc, you'll see that only snc_internal and maybe a few others can see the /esc header. Many pages also require the snc_internal role such as the oob homepage of the esc portal. Thus when a external user navigates to /esc they'll just get a headerless 404 page but they might be able to navigate to some other pages just without the header. 

This is the way to go with it in general, tie access to roles and the role to the group instead of the access to group membership. This allows for way easier "refactors" as well. Restrict the access server-side, then auto-redirect or help users navigate to the correct place from the 404 page. 

Here's a fun related activity to try: on a production instance using a non-priviledged user navigate to 

/$sp.do?id=lf&table=sys_user&sys_id=javascript:gs.getUserID() and see how many fields are editable. 

@VivekO024243573 

which user you are referring?

Agent or end users?