Isolating from internet

I need to keep an old Windows XP running for an old stupid software in my work network, obviously I'd like to prevent it from accessing the internet (but still be accessible from the lan).

What's the best practice, router side?

Set it to a static address or use a DHCP reservation, then create a firewall rule to block forwarding from lan to wan for that specific IP.


It would be easier to configure a static IP and mask without gateway.
Or if you want to give settings with dhcp, then create a tag with null option 3, which is the default gateway.