Yes that is also a good way to think of going, You only allow programs that need internet to have that ability. You make firewall rules and only allow traffic to the go to the programs that need it everything else gets blocked. Start blocking stuff on the router with your rules and then go inwards to each computer and set rules etc.

You could do this with the existing setup you have now with no outlay needed.