There is only a PC that is the gateway 192.168.0.1

he is not in business within the network
1 - you can manually configure the addresses on the target computer:
- for its own work, manually register the correct ip, gateway and dns (make sure that ip is out of the DHCP range, otherwise sooner or later there will be an address conflict and network failure)
- register on it the second address from another subnet, say 192.168.10.1/24
- on a computer subject to restrictions, only one address, say 192.168.10.2/24 , gateway and dns are not required, because there are none in this subnet
.. you may have to tinker with network settings - the secondary network must be private for both computers, otherwise it will not work. the use of the hosts file may be required. in general, there is certainly a place for creativity
2 - if the network cards of all computers support vlan - you will have to study what it is and separate it by vlan
in any case. but everything can be solved
ps - but if the user is literate - it will all be empty (... or cut the rights? you need to look)
upd copy-paste fixed! (additional network - 192.168. 10. *)
pps - but in general - what is the goal? could it be much easier?
- access to file resources and printers, can be separated by usernames/passwords. ban free balls
- ban access to the Internet personally at the gateway. google to help with the gateway software, but if it's just Windows - its own firewall is enough for the ears to ban a specific ip. you just have to set a fixed ip on the prisoner so that everything works
... well, or see for yourself which is easier

no way

Under such circumstances, no way. There is equipment that can do private vlan and promiscuous port, you can do this on it, but everything is "stupid" with you - it means that you cannot restrict access.