We have a semi-fragile computer system running plasma cutting software that we would like to be able to access via remote desktop and have it access a network drive. Those parts are covered. However, we would like to be able to block its access to the internet. I've disabled Windows Updates, but other software is always trying to reach out an update on whatever ports they like to do that kinda stuff on.

I think the Windows Firewall is the way to go, but I'm not sure which ports are involved or exactly which IPs to block.

actually I found, quite by accident, if you change the default gateway to some other machine other than the gateway, it cannot reach the internet, but it can still get to all the other stuff on the internal network.

I accidently setup something that caused it to pick it up as the gateway for all my dhcp clients. but it only affected my win 8 machines. they couldn't connect to the internet, but I could remote to them fine from the internal network.

as for blocking via firewall, or locking out ports, sometimes it works, sometimes it doesn't. have a bit of software that gets an auto push too, that seems to be using https so I can't kill it.

Changing the gateway to an incorrect address is a cludge way to do it, but it will work. The correct way would be just to block all inbound and outbound traffic except the ports you need - RDP 3389 (or 5900 depending on what you're using) and CIFS/SMB 445

Change the gateway to an incorrect address. Or on the router block the cutter's IP from making outbound connections.

Most corporations block all connections by default on their firewall and then only allow the ones they require.

Assign it a static address and block all outbound traffic on your public firewall from that IP address.

You should really be using a proxy for outbound internet in the first place and restricting all IPs on your intranet except specific machines that require it (WSUS servers, SEP, etc).

Everything else uses proxy.

I'm working at a small metal fabrication shop in WV. For them to have IP cameras, network attached storage, and a remotely controllable computer are unheard of in these parts. I'm doubt that I could convince them to spring for a proxy in addition. The benefit/cost comparision doesn't look great either. I am fine with being wrong though. You all know more than me.

Previously I assigned a static IP and a correct subnet mask and left the gateway blank. It didn't allow the local network connections I wanted though. I will try to set it to an incorrect gateway next.

Virtualization. Citrix Xen is free. Vmware ESX is free too for basics.

Buy a decent physical server, virtualize a wsus and proxy server. It's worth it in the end IMO.

Ip4? Rwmove the gateway from the settings. Packets wont know who to talk to in order to leave the lan.

Next!

If a perimeter firewall or web proxy are not an option, do it on the Windows firewall.  Deny all traffic sourced from or destined to non-private IP addresses.  Supplying an incorrect gateway address or leaving it blank will kill connectivity to the machine from other VLANs inside your organization; assuming you have more than one VLAN and machines reside on them.  The local machine will not be able to send response packets to machines outside of the VLAN it is on.