What is the best way to restrict network access for one machine on a home LAN?
You need to put machine C into its own network range. It is the best way to isolte the machine and protect your other machines that live on thier own IP range. The only problem is that you might need an extra router with DHCP and WAN port or a switch that support NAT. Possibly manually configuring PC C will also work. Essentially creating two networks.
Your main network (default out of box)
- WAN IP: Pulbic IP from ISP
- IP LAN: 192.168.0.254 (routers IP)
- DHCP : 192.168.0.254 (192.168.0.y - 192.168.0.z)
- GATEWAY: 192.168.0.254
Your protected network (tweaked)
- WAN IP - 192.168.0.x (From DHCP Second router)
- IP LAN - 192.168.1.254
- DHCP: 192.168.1.254 (192.168.1.y - 192.168.1.z)(for 2nd network)
- GATEWAY: 192.168.0.254 (Route to Internet only)
Manual
In your E4200 Manual on page 9 there is a section about advanced routing. This might be a solution or method to help you create separate networks. Ideally, newer routers offer Virtual Networks and things like that help you manage this better.
Alternatives
This is advance- but it is one of the preferred one for all good sysadmins!
You can replace your current router with an advanced pfSense compatible router or PC. It can(and should) completely replace the router from your ISP. You need to look at the compatibility list and select a router of your liking. It requires you to install pfsense to it which is FreeBSD. The info says it for use as a firewall and router. Router is what you are interested in. But it does a whole lot more!
You can install proxies, squid, throttling, dns, etc. pfSense allows you to create as many networks and you can configure them how ever you like!
Using firewalls on the computers them self is not the resolution to the problem. I t can give you a false sense of security but firewalls are designed to protect incoming connections to a given computer. Blocking standard ports will cause unexpected long term complications for things that were designed to make life easier!
--Edit added after answer accepted.
Some external reference where 2 sysdamins on Techsnap 101 agree that firewalls are not the answer in protecting computer from each other. Fast-forward to the end bit. Also how to isolate a machine from the network using a VLAN, NIC or Routes for the very exact question you asked here
The first thing that came to my mind is a firewall.
You could make firewall rules on Machine C that don't allow any TCP connections to or from 192.168.x.x (or whatever your local LAN is configured to use) but allow other outgoing connections. You would need to specifically allow connections to your router though. Of course you'd need to be able to lock down this configuration so that no one can change the firewall rules.
In this case you can also change the firewalls on Machines A and B to not initiate/receive any packets from Machine C as well.
I'm not good at ASCII art but you could also pick up another router. Call your current router R1, and your network is 192.168.1.x. Pick up R2, make it a client of R1, and machine C a client of R2, by itself, with network 192.168.2.x. (Machines A and B are still on R1, 192.168.1.x). Play with the firewall on R2, allowing 192.168.2.1, but rejecting anything else 192.168.x.x. This should cost you about USD$50 or so, plus some time. You essentially create your own DMZ. Machine C is now Double-NATted, which may be good or bad, depending on what it's doing. If it's a server, you now have to allow connections from the Internet through R1 and R2. Firewalls on Machine A and B would be set for 192.168.2.x. You can still firewall Machine C, but then you still have the hardware firewall on R2 if it gets compromised.
BTW: Replacing the stock firmware on an E4200 may be good for other reasons. Some firmware versions allowed Cisco to "cloud manage" it. Also, Im not sure if you can turn off WPS (which has been broken) through the stock firmware. If you do this, can you comment and let me know how this works? My uncle has an E4200 I was going to reflash in my infinite free time.