It depends on if you control the machines or if you are trying to prevent someone you do not trust.
If you control them it is as simple as assigning static ip addresses and removing the gateway from the setting on the machines that you do not want to have internet acess. The gateway is the path outside the lan, if the machines do not know how to get off the lan they will not have internet access because they do not know to go to the router.
If you can not trust them I would use firewall features on your router to only allow the mac addresses of the machine you want to have internet access. This will stop all but the most determined people. Then again if you have people you can not trust you have many other things to worry about just connecting them to your other machines.