allowing local network access while blocking internet access

Block default gateway in firewall

netsh advfirewall firewall add rule name="Block default gateway" dir=out action=block remoteip=192.168.0.1

is a good method because

• compared to changing the
  • default gateway address to an invalid address netsh interface ip set address name="Local Area Connection" static 192.168.0.2 255.255.0.0 0.0.0.0 it doesn't require DHCP disabling
  • DNS address to an invalid address netsh interface ip set dns "Local Area Connection" static 127.0.0.1 validate=no access without using DNS (f.e. http://74.125.224.72) is blocked too
• compared to route delete 0.0.0.0 mask 0.0.0.0 192.168.0.1 the setting is saved

I think the simplest way for doing this is to set wrong default gateway.

I believe you could do this at the router level (depending on you QOS) and put in a rule to BLOCK all traffic (outbound off LAN) for that specific server/computer IP.

That way the server can function just fine internally but the router will drop / deny all access externally.

The easiest way to do this by far (but anyone technical could bypass) is simply to go to internet properties and change the proxy to something non-existent.

Other than this, If you have no intranet, you could look at Windows Firewall (If this is Vista +, not sure XP supports this) and block port 80 outgoing.

Both of these methods can be countered if the machine is not locked down.

Personally, if there is no reason for users to be on this other than there programs, just completely lock it down through group policy.