Welcome. I am new here as well. I have read several threads and concluded that there are very smart people involved with this forum. They are so smart, I am only assuming that they would rather have a question in the subject line instead of a demand.
For your question. I dont know how many computers you are talking about, but I would just turn the internet off from each computer under the the admin privilages. That would be the easiest without complex configurations that may very well create issues for your other 4 departments.
To answer your question, it depends on how your network is set up.
I am assuming that you have all the PCs in the same IP range, and you likely have a modem/router with a few switches connected to it.
If your network admin has manually issued IP addresses to all the PCs in the network and they do not aquire their addresses via DHCP you can:
1. Remove the DNS server addresses from the network settings.
2. Create internet access rules on the router that will deny access to these PCs.
If their addresses are aquired by DHCP it is a defferent story. You will have to reserve the addresses issued to these PCs (if possible) and deny them access by creating internet access rules on the router that will deny access to these PCs.
I won't even go into creating vlans on your network, apparently the setup is low level and that would only cause you more problems...
Just one more idea to add to the mix - use the router;'s firewall settings to exclude certain IP addresses. It only means manually assigning a block of numbers to those you don't wish to go on the Net; all the others can still have DHCP allocated IP addresses.
Like all written advice, it looks harder than it will be but if gives the Network Administrator the power of being the only person with the router's login password so no-one else can override his or her wishes.