Our domain consists of around 60 computers. I have been tasked with making sure that Windows 10 workstations cannot communicate with each other. My manager asked that I create static routes so that computers can only communicate with the network printers, file server, DC, and access the Internet.
Since all of theses computers are on the same network I don't believe static routes are going to prevent these computers from seeing each other. What is the best way to allow computers on the domain to use network resources, but not communicate directly with each other?
Best Answer
If you have a switch that supports it, 'protected ports' for cabled connections or 'client isolation' for access points on Wi-Fi can help you eliminate traffic between hosts in the same Layer-2 network.
For example, this is from Cisco switch manual:
So if you don't intend to transfer data between them, you don't need to take action once they are 'protected'.
Your clients can be protected, DHCP server, gateway, etc. can be on unprotected ports.
Update 27-07-2017
As @sirex pointed out, if you have more than one switches which are not stacked, meaning they are virtually NOT a single switch, protected ports won't stop traffic between those.
If that is the case you would need Isolated Private VLAN ports:
If PVLAN is spanning over multiple switches, VLAN trunks between the switches should be standard VLAN ports.
If you are Cisco user, you can use this matrix to see whether your switches support the options you need.