This certainly is possible. From what I understand, if a user leaves your network, with a laptop, you want to prevent it from connecting anywhere. You also only want laptops within your network, to connect to your local network. Correct?
If this is the case, you can use Connection Isolation Groups. Create a firewall policy with a "Block all" rule at the bottom Then, create a Connection Isolation Group above it. Make the criteria for this group, your local subnets under the "network options" tab. Of course you could also use a common internal Default Gateway, DNS server, DHCP server, etc.
Once this group is created, you can then create rules inside this group, to allow whatever type of communication between nodes on your internal network.