This would best be done with access lists. You can get your 2 host SN idea to work (though the user would need his own router interface or VLAN).
On the router you could set up an extended access list: (these done in router(config)#) access-list 101 deny tcp 0.0.0.0 access-list 101 permit 0.0.0.0 any
The LAN-network and LAN-wildcard must match all addresses on your LAN but no addresses on the internet. This could be done with multiple access-list statements - just remember that the permit "any" statement must be last in the list (and you cannot add new statements - the entire access-list must be removed from configuration and re-added because order matters).
Then, on the router interface (or VLAN subinterface) that this PC is connected to:
router(config-if)# access-group 101 in
I'm sure some of the more knowledgeable people will correct me or provide better ways of doing this? ;)