It is relatively easy to control access to the various HTTP request types (protocols) for your ASP.Net WebService.
Add something like this to the system.web section of your web.config:
<webServices>
<protocols>
<add name="HttpSoap"/>
<add name="HttpGet"/> <!-- Because this web service is all GET methods remotely -->
<add name="HttpPostLocalhost"/> <!-- So you can test/POST locally -->
<remove name="Documentation"/> <!-- So the outside world can't see your method documentation -->
<remove name="HttpPost"/> <!-- Remove general POSTs from the outside world -->
</protocols>
</webServices>
Of course you will want to tailor this to the needs of your own web service. 