How to give virtual machine access to the Internet, but block from LAN?

I am setting up a virtual machine using Microsoft Virtual PC in Windows 7. The VM will run a Windows XP.

I want to set up a public-facing server in it for web pages, subversion and other things, and instruct the router to port forward any requests to that Virtual Machine.

I managed to do that - I assigned the VM to the network adapter, and it is now acting as just another DHCP client - but to increase security I would like to block the VM from the rest of the LAN, so it accepts only incoming connections from the Internet. For this to be effective in case of a compromise, it would have to happen on VM level as far as I can see.

Can this be done?

You probably need a second network card connected directly to the router/firewall. When you bridge VMs card with a physical card it's almost like you would connect an untrusted PC to a switch in your trusted network.

So you should connect it directly to the router and probably setup some ACL rules (http://en.wikipedia.org/wiki/Access_control_list). But just not setting a route to your trusted network would sufficient. However you probably want some access from your trusted network for example for administration so I suggest using ACL.

Theoretically it's possible to use a "bridge" configuration and filtering unwanted packet on the host, but it would depend on the host OS and virtualization software. But I'm not familiar with slouch configurations.

Another option is setting VMs NIC in NAT mode. Then you can setup a firewall on your host PC. You have to redirect ports in the virtualization software to make your server working properly. Then you must block access to your trusted network from the virtualization software.

I would trust the first solution more.