|I went back to the start and reread your initial post.|
You stated you want your 2003 domain isolated from the internet and that you have two domain clients you want to have internet access.
The simple (KISS) way to achieve this is to buy a SOHO router. Plug the internet into the WAN port and your switch into a LAN port and the server and clients in the switch. Use DHCP on all computers except the server (this has to have a static IP) and the two clients you wish to access the internet.
For the DHCP Clients, stopping them from accessing the internet is a simple as removing the gateway IP from the DHCP settings. With no gateway IP, DHCP clients can't go outside the local zone (LAN).
On the two clients you want to have accessing the internet, you statically assign them IP's in the same subnet but outside the defined DHCP scope and you do assign them the gateway IP (Which should be the LAN IP of the SOHO Router).
If you do not want the server to access the internet, again, remove the gateway IP.
NOTE: You would still need to enable DNS Forwarding on the server itself and forward it's DNS to your ISP's DNS servers. This is necessary since all domain clients must authenticate to your DC and that will be the client DNS address. With forwarding configured, the two PC's able to access the internet would contact the DC for DNS resolution and requests outside the local zone would be forwarded to your ISP's DNS servers to be resolved by them.
Since a SOHO Router comes equipped with a firewall, your server and clients are all reasonably safely isolated from the internet by the router/firewall.... voila! Your aim is achieved. Two PC's are able to access the internet, no other PC or server is, and your LAN is isolated from the internet.
For an extra layer of security, you could also enable the built in firewalls on each of the aforementioned.
If you'll pardon my saying so, what you're trying to do makes no sense. Using the above setup, which I might add is a typical setup used by thousands of businesses and millions of home users, will provide good isolation from intrusion which is likely your main concern.