As has already been mentioned, the recommendation here is to install the LUA on the sole client hat has Internet access, and point the unmanaged machines at that client for updates.
I think links on how to setup the LUA have already been shared, so all good. I think you might find the below handy on how to point unmanaged machines at a LUA though:
http://www.symantec.com/docs/TECH166129
NOTE: The steps in this article allow you to keep them as unmanaged clients, instead of making them managed clients by changing the sylink file.
It's also worth bearing the below in mind:
- LUA has no integration with SEP (i.e. SEP client on the internet-connected machine can have later definitions than the LUA, and vice versa. Depends on which one happens to hit its update schedule first)
- No integration also means no reporting/management. You have no way of centrally reporting/managing on the unmanaged clients from the SEPM (I'm sure you're probably already aware, but t's always prudent to state these things outright)