Thanks, had to re-read those sections a few times. This seems to work, and I created a snippet to reuse on a few internal only pages.
(local_only) {
@local_subnets {
not remote_ip 192.168.10.0/23 192.168.1.0/24
}
respond @local_subnets 403
}
import local_only