With new network feature in docker 1.10 it is possible to create isolated overlay networks - which works very well. Containers in 2 separate networks can not talk to each other. Is it possible, however, to deny container in overlay network to reach public internet? Eg to make ping 8.8.8.8 fail, while having docker host connected to internet.

If you add the --internal flag when creating a network with the docker network create command, then that network will not have outbound network access:

docker network  create --internal --subnet 10.1.1.0/24 mynetwork

I assume -- but have not tested -- that this works for overlay networks as well as for host-local networks.