You create two rules. One for "admin user" and one for just "user" and then you can restrict access based on one or the other. It probably already created the "user" group for you if you used the wizard to create your login pages. Now just duplicate that rule and add another condition that checks the additional saved session variable that identifies an admin user.