The "ip access-group" command will block someone from connecting to that network but not from the route appearing in the routing table.

As I understand it, you want to prevent the route from appearing in the routing table (which would ultimately prevent all access to the network, even without an ip access-group statement).

To do this, block it when you redistribute it using a route-map or you block it when it comes into a router, downstream, using the distrbute-list command.

Either way, the ip access-group statement doesn't keep the route from appearing in the routing table.

I know you said that you don't want to use a distribute list or route-map (I don't see that you need tags in this case) but that seems like the best way to do it.

Is this from some kind of test question? (when you say that you don't want to use the obviously best method, that hints to me that it is from a test question).

If you still have more questions, please post and maybe we can figure it out together.

Thanks-
David Davis