How to block internet access while still allowing network access

[ClearOpt 0]

My work network has some PCs still running Windows XP, and given the ending of support for that OS and the security issues that go along with that, I'm wondering if blocking those PCs access to the internet is worth doing.  I have a few queries regarding this - can I use Smart Security's firewall to do this, and if so, how?  Can I block internet access while still allowing full access to the local network?  Does having access to the network negate the benefits having the XP systems blocked from the internet?  The remainder of the PCs on the network are running Windows 7.

 

I'm aware that the best option is to update to a newer OS, but that will mean updating the PCs and while that's the plan at some stage it won't be in the immediate future.

 

[Marcos 5,070]

I presume the following should work:

1, create a very general blocking rule for every communication

2, create a general allowing rule with your local subnet specified on the Remote tab in the rule editor.