Adding 0.0.0.0 as a Local Network in server-manager will allow anyone anywhere to access /user-manager -- but I'm pretty sure it also allows anyone anywhere to access:
* ibays using samba (allowing attacks on samba)
* printers using cups (allowing annoying waste of print resources if nothing else)
* squid (allowing people to browse the internet from your IP - with bandwidth and potential legal implications)
You can restrict remote users to /server-manager and /user-manager by adding Network "0.0.0.0" with Subnet mask "0.0.0.0" under "Remote Management" in Security->Remote access.
On my server, adding this entry threw an error in server-manager. I ran these commands from a command prompt to make sure the config was activated:
expand-template /etc/httpd/conf/httpd.conf
expand-template /etc/httpd/admin-conf/httpd.conf
sv t httpd-e-smith
sv t httpd-admin
If you're going to expose server-manager to the world you should install
Fail2ban. Unless you plan to administer the server remotely using server-manager you may want to create some custom fail2ban rules that block any remote host that attempts to access /server-manager.
You may also want to look into a good IP blocklist such as
Emerging Threats (but there isn't a SME howto for this at the moment).
[edit]grammar