Some very quick testing...
My normal SRM firewall rules include specific outbound rules to permit LAN, Guest WiFi, VPN client LANs to access the Internet: the help on SRM firewall says that LAN-side traffic isn't handled by the firewall ... implies that LAN to/from Guest to/from VPN clients are not mediated by the firewall.
I see loads of hits on outbound LAN-side connections in the firewall counters.
I also have all the default catch-all rules (at the bottom of the policy window) set to deny.
Test 1
Add deny rule specifically for my iPhone's LAN IP going to Internet destinations on ports 80 and 443. Placed at the top of the firewall ruleset.
The iPhone now is blocked for new (uncached) web destinations and the new rule's hits are increasing.
Test 2
Remove Test 1's rule.
Deactivate my allow rule for LAN subnet to Internet. There is now no specific rule to allow LAN devices to access the Internet.
The result is that new web destination requests are still successful. This implies that the SRM firewall defaults to allowing outbound requests, but will deny if there's an explicit rule to do so.*
Conclusion
- You can use a deny rule to stop LAN-side devices from initiating outbound connections.
- You don't have to have a rule to allow LAN-side devices to access the Internet.
Recommendation
Use the LAN-side DHCP server to reserve IP addresses for devices. You can then create deny rules to stop specific devices, or range of LAN IPs, from outbound access to specific ports/applications. Any unspecified LAN IPs will still have access to these Internet destinations.
Note: By manually grouping similar devices into DHCP IP ranges (e.g. kids get x.x.x.50 to x.x.x.60 range) you will be able to minimise the firewall deny rules.
* this is why every firewall admin gets taught to end their firewall rulebase with an explicit any/any/any/drop ... where drop doesn't reply to the initiator so no signal to validate that something is at the destination IP.
Edit:
It occurs to me that if there are implied allow rules for LAN to Internet then these will be at the bottom of the firewall's rules, otherwise the deny rule in Test 1 wouldn't have worked.
For most people their SRM router will mostly be handling outbound connections (by one or two orders of magnitude vs inbound) so it is not efficient to have the rules at the end of the ruleset: the firewall tests each rule in sequence, top to bottom, until it finds a match and then actions the deny/allow.
By adding your own explicit rules for LAN to Internet and placing these towards the top of the ruleset then you'll have some optimisation in the router performance.
Also, if you really want to implement an any/any/any/deny rule at the end of the firewall's ruleset then you'll have to disable Port Forwarding's automatic firewall rules setting and do these by hand.