For a remote site, with a SRX100, I want to be able to manage it with ssh and web but only from my external ip address. Similarly there will be an IPSec VPN between the sites but I only want to accept ike from it's specific peer's ip address.
Am I right in thinking that security policies won't have any effect as I'm not going between zones?
You are correct in stating the the security policies will not have an effect. The features you are looking for are "host-inbound-traffic", where you set the allowed services on the particular interfaces in a security zone (or the entire zone), and then setting up a firewall filter and applying it to the loopback interface to specifically allow and / or deny certain remote addresses.
