You could give quarantined role http/https access to you dmz for example but unless the applications require different ports there is no way I know of to say port is ok but what they do on the port is not. If write access is scp or ftp however this would work, as quarantined role is not allowed to go to dmz on ftp or scp ports in this scenario.
In the case of web servers where you want to let everyone access the web but you only want those that pass posture assessment to ftp or scp new files to the servers this would propably fit.