Thanks guys for all the helpful suggestions. The easiest and most manageable for the people who have the system is probably to just do fixed IP address for this particular station and to not have a default route. I should have thought of that myself. I guess you could do the same thing and just not have DNS server defined, which would be good enough in this environment.
Then if they want to turn it back on again, they just go back to DHCP, which is a one click change and easy to explain.
The router is a netgear wired 5 port router/modem, but it doesn't seem to have blocking of access by MAC address. Yes, that would otherwise have been almost as simple.
There are only three machines in this little network, the only real reason they are on a network is to print, and the one in question is in a public part of the building. Tts not accessible by the public, but whatever is on screen is visible to visitors, its a reception desk machine with displays that vary in response to what the staff do, and that the visitors do need to see. I'm not quite sure why they don't want it to have outside access, its more at the level of a general feeling than anything else. But its their decision.
Of the other two machines, one is not on public view and is only used by a couple of specialists, and they are not bothered about it, the other does all the office admin, email and so on, and that one they obviously need to have full access. But it is in an office and so not available to all the staff, and not visible to the public.
Thanks again!
Peter