Internet and Intranet Network separation

You could use GPO... one method would be to push out fake proxy settings. Depending on the firewall/router you have, you could just put rules there. There are a lot of ways to do it...

Remove the DNS Server and Default Gateway addresses, that will disable the Internet access for the intranet machine. Also add the sites that you want to allow to the Proxy Exception list. Otherwise set to a fake proxy as mentioned by expert that "sinkhole" and terminate the traffic attempted. In fact, should also consider application whitelisting like applocker to restrict other unauthorised just in case user try any script and bypass at user right level. Also best to restrict and limit use of USB as policy will be concern of transfer as well between such internal and internet machine.

Always good to have a slip to remind user not to do such port plug in. Education is important in the separation setup. Not easy but it is a journey. Been there, done it.
https://www.experts-exchange.com/questions/28007066/Block-Internet-Access-Allow-Intranet-No-Proxy-Server.html?anchorAnswerId=38814610#a38814610

I would really recommend putting the policy into the router or firewall, but use any approach through GPO as a backup. My assumption is that you want to be able to get to any internal resources without an issue, but totally prevent outside access (this is why I didn't suggest removal of DNS or default gateway.. in an AD environment, you need especially DNS from an internal standpoint). Also, if for some reason the security policy changes later, then you don't have to tinker around with system settings.

btan is correct that you should have a reminder to users. Personally, I would recommend that you go the route of having a message popping up regarding your acceptable use policy at the Windows login screen (be sure to clear with HR and/or legal if rules dictate such in your location).

The AUP should have been issued and signed off on receipt of the issued machine. If the exercise of separation has not revised the AUP, it need to be done quickly and have a sign off again especially for those issuance of new internet machine. The Windows login screen banner can highlight unauthorised action and need for oversight. Importantly, the AUP is not once off. It need to be review regularly and user should acknowledge and sign off in a deterministic fashion like every 2 or 3 years. It can be reviewed again.  It will be even better if the AUP can be part of the security awareness training package and sign off digitally.

 Pardon for diverting but this is a needful milestone as technology can help as much but this legal contract with user in a way does have some deterrence..

I am thinking also if we leave the connection on DHCP (or valid manual config) and and set the DNS manually, we can set the first DNS server to an invalid IP address (192.0.0.0 or some non existence one) and leave the second one blank, so no domains will be able to be resolved to an IP address. This also means that anything that explicitly uses the IP instead of a domain name will work only, but all names will fail. End users trying to check their social accounts or web mail will fail. However, if you want to add an allow list of domains that users can resolve, you can also them in a hosts file. Just make sure to keep it updated if IP addresses change. Rather manual, I know but it complement with the stringent controls in place.

Dear All,
Thanks for the valuable suggestions. I think Network policy server is much better solution and suits to our environment.