The device does not have to be under warranty to get it swapped out under the clock sync program. It only had to be under warranty during the period that defective devices were shipped - so basically if you have a defective device it will get swapped out. Start at this URL and then move to the ordering tab to stat the swap out process.
https://www.cisco.com/c/en/us/support/web/clock-signal.html
Also note that a SmartNet 8x5xNBD would be considerably cheaper than buying a whole new piece of kit ... although Cisco don't swap out devices that have not failed under SmartNet - even with SmartNet you have to use the clock sync program URL I have given above.
Now to your specific questions, yes 100% you can block Internet access from some specific VLANs to the Internet. Specifically you would create a group policy with whatever access you want, and then apply that to the VLAN.
https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Poli...
Also note that the MX is a security appliance first, while the 4331 is a router first - and as a result the 4331 can do a lot of things that an MX can not do, such as vrf, bgp, eigrp, etc. Make sure the 4331 is only doing basic static routing and only with access control lists.
Also make sure you buy the advanced security licence for the MX.
