bridges, NAT, virtual machines, brain hurt :-).

[Tom Horsley]

I'd like to make a Windows virtual machine that has access to
the outside world but is completely blocked from access to my
local area network (other than whatever forwarding and routing
has to happen on my LAN).

The idea is to make a virtual windows box which can suffer
any ill effects of unsafe browsing practices, while preventing
any of those effects from escaping into my LAN. (Then if I
use a qcow2 image with a backing file, I can reset the machine
to its original undamaged state by simply regenerating a
new qcow2 image).

I keep thinking along the lines of setting up a new bridge
on a separate subnet and doing some sort of NAT routing,
but details escape me. I can write those words, but have no
idea how to actually accomplish what I want (especially how
to restrict the NAT to the outside world and prevent any
access to local LAN).

I keep thinking this should have been dome by someone already
and there should be examples out there, anyone know of any?