I have define a subnet 220.127.116.11/16 with VLAN 200 and assign this vlan to multiple ports. I want to restrict some users to do not browse internet but to access the corporate servers and data.
From a management point of view, the simplest thing to do is split the VLAN into 2 groups, one of which cannot access the internet and the other which can. Otherwise, if there is an identifying attribute you could use to sort the sheep from the goats you could apply a rule.
Or give the users with no internet access a DHCP server that only handles the corporate servers.
If the clients are not already in a group policy then you could put them in one that has custom network firewall and shaping rules with a firewall rule that denies any traffic to any. Or you could block by default and instead add the devices that are allowed on the internet into a group policy that allows internet traffic.
In Network wide --> Configure --> Group policy you add a group. In that group you give it a name, select Custom network firewall and shaping rules in the Firewall and traffic shaping section, then you add a firewall rule with a deny policy with any protocol to any destination. Save that. Then you go into Network wide --> Monitor --> Clients. Check the box on the clients you want to block from the internet and click on the policy drop down and select group and select the group you just made.