Which is the better to deny certain ip addresses on the inside interface access to the internet:
1. Do not setup the specific ip adresses with NAT rules.
2. Create an ACL to deny access for the specific network addresses.
I would have a different approach.
You could create a network object group called internet access, add hosts to that group that will be permited internet, you would just need to add a host in the ubject group or remove the host for no internet. I think it is much easier this way than have many access lists per host Ip, or many nat statements.
object-group network Subnet_184.108.40.206
network-object 220.127.116.11 255.255.255.255
network-object 18.104.22.168 255.255.255.255
and so on ..
create a single access list allowing outbound internet access
access-list inside_access_in permit ip object-group Subnet_22.214.171.124 any
access-group inside_access_in in interface inside
or you could revert the above to block internet access with a negate access-list, add hosts to the group for no internet.