Block internet access by user

Yes, it would be , buts a big change to implement going through the firewall.

Any other ideas?

Really the only other way I can think of this is to remove the gateway ip from their ipconfig.

Via a login script ?

That's what makes it ugly. Since you want it to be for a user, it'd have to be a login script. And you'd have to have another login script to add it back for any other user.  And there will invariably be a race condition that the user may still have access. Or have workarounds (some VPN vendors allow static routes) that could bypass even this attempted block. The gateway is really just a way to generate a bunch of "default" routes based on the network class/subnet/mask.  Static routes have always ignored the gateway.

It can be done in a lot of ways, but all will require experience.
Windows alone can already set firewall rules per user, but not unless you are able enable secure rules that work with kerberos authentication.

What does this setup look like, why do you write about your DC? The user will not logon to that DC, will he? So you will have to make it happen on Windows 10. If he is the only user of that win10 machine, this could of course be easier than if other users are using the same machine, too.

What kind of firewall do you have? Cliff's suggestions are pretty dead on. So unless you have infrastructure that supports doing things easily, you're going to have a painful experience.

Sonicwall

There are two approaches:
1) Integrate with AD and block by username (most reliable)
2) Create DHCP reservations that will force the NIC and wireless cards to have a particular IP address.

Once you've done that, then you should be able to create policies blocking that either the IP, MAC address, or username from the internet.

There was no feedback from you, Cobra. I don't understand why you don't care when I told you, there are several ways.