Rather than upgrade my Win 7 PC (which had programs and hardware I figured would break) I bought a new Win 10 machine, and a KVM switch so I could work with both. How can I keep the Win 7 machine off the internet but available over the network to the Win 10 machine?

I've turned off Windows Update on the Win 7 machine. I tried disabling the internet protocols to keep it off the internet, but this also seemed to disable its network connection with the other machine.

I'd looked at Windows Firewall, which would let me block specific programs, but I didn't see where I could isolate the whole computer. I would like to keep the Win 7 machine from seeing the internet, and the internet from seeing the Win 7 machine. My thinking there is I can limit its exposure to malware and attacks now that Win 7 is no longer supported.

In a fashion I would like to use the Win 7 machine as a file server, but also run programs I don't have installed on the Win 10 machine.

Related: Can I disable Action Center on the Win 7 machine (which is not happy that I've disabled Windows Update) and Microsoft Security Essentials, then use MSE from the Win 10 machine and scan the Win 7 machine over the network?
To make it local-only, you should be able to remove the gateway from the win7 IPv4 settings.
Your Internet router may offer an option to keep a system off the Internet during specific hours (for parental control, for instance), which you then set to the entire day.

Removing the gateway from the IP settings would require disabling DHCP and setting the address and network mask to what they were before, and leaving the gateway field empty.
How can I keep the Win 7 machine off the internet but available over the network to the Win 10 machine?

The simplest and most foolproof (though not the least costly) way to do this is to install a second gigabit Ethernet card in the Win10 box and just wire the Win7 box to it directly with an Ethernet patch cable.

Because there will be no router and no DHCP server running on that tiny two-box network, the interfaces at both ends of that cable will end up with IP addresses in the auto-configuration 169.254.x.x space if you do nothing about configuring them explicitly. Both machines should still be able to find each other by name for the purposes of Windows file and print sharing if set up this way.

Desktop Windows boxes don't do IP forwarding between interfaces by default, so the Win7 box will have no Internet access and the network connection icon in its system tray should say so.

There is no need to turn off Windows Update on the Win7 box. If it can't see the Internet, WU won't do anything anyway.
Have you considered converting the Windows 7 machine into a VM and running it in VMWare/VirtualBox/Hyper-V/etc inside Win10?

I did this -- completely converting a physical machine into a virtual one, intact -- when I migrated from XP to 7 years ago, and it worked like a charm. I know it's still possible.

Incidentally, you'd be surprised how much software from 7 "just works" in 10; I was similarly hesitant but my recent upgrade to 10 went relatively smoothly. But I do know that there may be _some_ software that doesn't carry over.
I had the same problem with my XP rig that has a $$$$$$$$$$$$$ CAD program that could not be transferred to W10. I bought a W10 All-in-One that is also used as the monitor for the XP rig. Files are transferred between the systems with a USB laptop flashcard on a Ugreen printer transfer switch. I also share a keyboard (IBM from 1984) and a printer with two other transfer switches. A Logitech MX Master mouse is shared between both systems. The XP system is noticeably faster with the router card removed. This rig lets me keep my $$$ Epsom Flatbed scanner that also will not work on W10
Thanks! Some good ideas to investigate.

flabdablet's suggestion putting another Ethernet card in the Win 10 machine and connecting it directly to the Win 7 machine appeals to me and would free up a spot in my router. Although moving the PCs and cabling around so I could install another card will be an exercise (I have a small space and everything is carefully shoehorned in and knit into place).

wearyaswater and Stoneshop's suggestions sound good, and I can probably try them sooner with less effort.

Raybun – one of my main motivations is I have an old $$$HP Flatbed scanner with an Adaptec SCSI card that didn't have a Win 7 driver but works with a 'close enough' driver and some third party software. I thought it was unlikely I'd have the same luck with the SCSI card on a Win 10 machine (jozxyqk – I may be wrong).

Thanks all for help!
moving the PCs and cabling around so I could install another card will be an exercise

If that's too much of a pain in the arse you can just use a USB3 to Ethernet adapter on the Win10 side instead of a card.
Or if that would leave you short of USB3 ports, you can get them with a hub.
That's what I ended up going with. I mounted the USB3 Ethernet adapter/hub to the front plate of my computer with some mounting tape. It used the one available USB3 port and gave me three ports back. Ran a 3ft CAT6 cable to the back of the other computer (they're right next to each other) with minimal fuss. I've been playing with it, and I'm able to get to all the files I want access to on the other computer.
Sounds tidy. Glad you got a result.
