is there a way to let terminal services make some kind of 'abstraction' over the physical network interfaces of the server so they can be managed via gpo to grant or prohibit access for different users?
the basic idea is to have 2 network interfaces (user and server/management) and not letting users within terminal sessions access the server/management network.
or is this just impossible ? what would be a better way to do this ?
What you are looking for is not as much of an abstraction but rather a user token based firewall solution which would allow you to sandbox / filter traffic from processes run by particular users. This is at least not done by the Windows Firewall, there might be working 3rd party solutions, though.
Probably a better approach to security would be not to mix up user and administrative infrastructure and give the administrators an own terminal server not open to users instead.