Ok, after a night's sleep and a bunch of poking around, it turns out to be relatively simple, but requires a few steps.

1) Under Advanced Settings:Access Control enable the Access Control checkbox
2) Select whether you want to default deny or default allow. Default deny is better, but requires more configuration.
3) Go to Access Control:Host and create a named Host grouping (range or specific MAC address / network ID). Annoyingly, this mac address field requires dashes and rejects colons, which are common in other software, so cutting and pasting from other network tools requires editing. Hopefully future software would just auto convert colons to dashes.
3.1) In my case, I created a group I call "cameras" and set the IP range from 192.168.1.180 to 192.168.1.255
4) Set up Targets. In my case, I have no need for the cameras to talk to any outside network, so I don't need any specific targets. The Rule system has a deny all option.
5) Back to Access Control:Rule and Add New rule.
5.1) Named the rule Block Cameras Out, select the host grouping I just created ("cameras"); any target; schedule as anytime, action deny; status enabled.
5.2) Save.

To test it, I changed my laptop to use a manual IP address and confirmed that if I set my local IP into that range, all network access above this router was blocked. Huzzah!

Now for the somewhat longer task of going through the list of devices in IP & Mac Binding: ARP List and determine what each of those is and decide whether, when, and how they should be allowed to talk to the rest of the world.

Hope that's helpful for someone else. Wish I could edit the subject/title of my post.

Hey guy, thanks for the detailed information, its quite useful for me:)