diff --git a/security/Group.php b/security/Group.php
index c635af66a..2f126a3ad 100644
--- a/security/Group.php
+++ b/security/Group.php
@@ -22,6 +22,7 @@ class Group extends DataObject {
 		"CanCMSAdmin" => "Boolean",
 		"Locked" => "Boolean",
 		"Sort" => "Int",
+		"IPRestrictions" => "Text",
 	);
 	static $has_one = array(
 		"Parent" => "SiteTree",
@@ -273,6 +274,26 @@ class Group extends DataObject {
 		
 		return $filteredChildren;
 	}
+	
+	/**
+	 * Returns true if the given IP address is granted access to this group.
+	 * For unrestricted groups, this always returns true.
+	 */
+	function allowedIPAddress($ip) {
+		if(!$this->IPRestrictions) return true;
+		$ipPatterns = explode("\n", $this->IPRestrictions);
+		foreach($ipPatterns as $ipPattern) {
+			$ipPattern = trim($ipPattern);
+			if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $ipPattern, $matches)) {
+				if($ip == $ipPattern) return true;
+			} else if(preg_match('/^([0-9]+\.[0-9]+\.[0-9]+)\/24$/', $ipPattern, $matches)
+					|| preg_match('/^([0-9]+\.[0-9]+)\/16$/', $ipPattern, $matches)
+					|| preg_match('/^([0-9]+)\/8$/', $ipPattern, $matches)) {
+				if(substr($ip, 0, strlen($matches[1])) == $matches[1]) return true;
+			}
+		}
+		return false;
+	}
 }
 
 /**
diff --git a/security/Member.php b/security/Member.php
index 1a43b82d5..d0ec6dba1 100644
--- a/security/Member.php
+++ b/security/Member.php
@@ -720,7 +720,13 @@ class Member extends DataObject {
 		if(count($collatedGroups) > 0) {
 			$collatedGroups = implode(", ", array_unique($collatedGroups));
 
-			$result = singleton('Group')->instance_get("`ID` IN ($collatedGroups)", "ID", "", "", "Member_GroupSet");
+			$unfilteredGroups = singleton('Group')->instance_get("`ID` IN ($collatedGroups)", "ID", "", "", "Member_GroupSet");
+			$result = new ComponentSet();
+			
+			// Only include groups where allowedIPAddress() returns true
+			foreach($unfilteredGroups as $group) {
+				if($group->allowedIPAddress($_SERVER['REMOTE_ADDR'])) $result->push($group);
+			}
 		} else {
 			$result = new Member_GroupSet();
 		}
diff --git a/security/Permission.php b/security/Permission.php
index a77686b90..bcf25a9c0 100755
--- a/security/Permission.php
+++ b/security/Permission.php
@@ -177,7 +177,7 @@ class Permission extends DataObject {
 						$argClause
 					)
 				")->value();
-			
+				
 			if($permission)
 				return $permission;