Enable / disable internet access in selected classrooms


We have several classrooms networked (wired ethernet) which need continous access to the domain controller (which has DHCP and DNS) and in addition, internet access only when allowed by the teacher.

The router / firewall IP is on the same subnet as the domain controller. A small sketch of a similar system is available here (with separate switches for internet and domain controller):


How can we avoid connecting ALL classrooms to the internet once the gateway cable is connected to the domain controller net in *one* classroom?

All classrooms which have the blue cable (in the sketch) plugged into one of the classroom switch' ports will have internet access, and no access when this blue cable is uplugged.

The domain controller subnet switch (in the sketch) need to have each port isolated from each other so an interconnection between black (domain controller net) and blue (gateway net) in selected classrooms does not influence internet access for the rest of the classrooms.

Thanks if someone have some bright ideas ;-)

regards Geir