We restrict some of our workstations from access the internet.
At network level router drops any packet with destination outside of LAN and generates warnings in log.
At OS level (windows workstations) we use low level driver blocking the same. It helps to keep router's logs empty of warnings, because Windows never sends anything to external IP. Also it's a trap for deep backdoors.
We are going to buy new workstations with Intel 7/8-series chipsets. Intel Ant-Theft settings will be default (not activated).
The question. Will we find in router's log any (even 1) connection attempt to internet (or DNS resolve requests) after year of use?