You can do that with iptables (ip6tables).

Until reboot

On a terminal add the rule to iptables

sudo iptables -A OUTPUT -p all -m owner --uid-owner username -j DROP

sudo ip6tables -A OUTPUT -p all -m owner --uid-owner username -j DROP

where username is the user that you want to disable the Internet connection. Save the file and exit.

This will add a rule to iptables (ip6tables) saying that any outgoing packages created by the specified user will be automatically dropped by it.

If you want to do the same for a complete group I suggest that instead of --uid username you use --gid-owner groupname, that will have the same effect for a complete user group.

So, for example, to prevent the group security from accessing the Internet the command would look something like this

sudo iptables -A OUTPUT -p all -m owner --gid-owner security -j DROP

sudo ip6tables -A OUTPUT -p all -m owner --gid-owner security -j DROP

Permanent

To make the rule permanent you can create a script in /etc/network/if-up.d/, add the necessary lines to it and make it executable.

As an option use iptables-save (ip6tables-save) to save your current rules and restore them on boot.

Save the current iptables rules

sudo iptables-save > /etc/iptables_rules

sudo ip6tables-save > /etc/ip6tables_rules

Open /etc/rc.local with your favorite text editor and at the end of the file add

/sbin/iptables-restore < /etc/iptables_rules

/sbin/ip6tables-restore < /etc/ip6tables_rules

That will restore the saved rules on each boot. Be careful in noticing that users for which you blocked only ipv4 connections will still be able to connect to the internet.

For more informations and several more iptables options consult its manpage.