Windows Firewall: Allow internal network / deny internet access

Hi all,
Been lurking here for years, but I finally need some direct help please.
I have a need to allow a specific program to have internal network access, but disallow/deny that same program all internet access. I don't see any way to do this in the firewall settings. It seems like it's an all or nothing toggle. What am I missing?
I'm using Malwarebytes Windows Firewall Control, which is just a fancy GUI for the built-in windows firewall.

windows ver: 1909

- - - Updated - - -

Really, almost 2600 views and not a single suggestion? Is this really such an impossible problem?
If so, is there another firewall program (free or paid) that would allow me to do this?
I have a security camera system that needs internal access to my network, but the software I use is notorious for pushing out automatic updates that break the system. I can't have that, so the suggestion is to block access to the internet for that program. However, I can't block internet and still allow internal network traffic with the Windows Firewall. Not that I can find anyway.

I didn't specify the program because it doesn't matter. This behavior should be universal for all programs, since it's controlled by the Windows Firewall, not the program in question.
As noted, using MalwareBytes Firewall Control is also irrelevant to the conversation, since it's only a GUI for the built-in Windows Firewall, and in fact all rules can still be added/edited/deleted directly within the Windows interface.
I purposefully didn't add a lot of details about the specific program, because I didn't want folks to get focused on it. I may have this same issue in the future with Windows blocking another program, and didn't want to run through it all again for that specific app.
Anyway, with the complete lack of responses here, I did some more digging myself into the Windows Firewall interface, and finally found the solution.

So for anyone in the future to who runs into the this problem, here's the (rather goofy) answer:
Note: I did this within the Malwarebytes Firewall interface, but the steps are essentially the same if you're doing it directly in the Windows Firewall

1) Delete any existing rules pertaining to the app/program in question
2) Create a new Outbound rule, Block all, complete the rule. Open the rule properties, go to advanced, under interface types, select [customize]. Uncheck everything except "Remote access". This will block internet (remote), but still allow local (LAN) traffic.
3) Repeat for any additional apps or services.
4) You may need to create specific "allow" rules for the LAN traffic. Malwarebytes prompted me for these, so I only had to review and accept them. If you're using the basic Windows Firewall, you'll have to make them manually, which is the reverse of the above. Just uncheck "local" and check the other 2 options.

Hopefully this will help someone in the future.

Registered just to say thank you Elmojo, your instructions helped me and worked perfect for keeping a program I use to design with from constantly ruining itself with updates but also allows it to connect to my phone and use the camera wirelessly. Appreciate you posting the answer.