From what I can tell, the issue is 2,or possibly 3,issues in the print spooler.
Suggested mitigations (other than the patch) are to turn off the ability to accept remote (LAN based?) printing support (ie no printing to your printer from other machines) or to turn off the spooler completely on machines with no printer.
It is unclear if this would also suppress things like print-to-pdf but I imagine it would. So if you are not connected to a physical printer then turning off the remote print spooler is probably a good idea.
It is only tangentially referred to, but printing uses ports 137,139 and 445. So sn attacker needs to access one or more of these ports.
These ports are likely to be open by default on the machine itself, but not accessible if you are behind a router or firewall. It's certainly possible for a router to allow access via these ports, but I expect they would be closed by default. YMMV.
Of course the firewall only serves as protection as long as no malicious code is run anywhere on the LAN. So if an attacker could get a human to run code inside the LAN they can then sniff the printer servers, and run code on those servers, which would be a very big deal.
So your question about "Internet connected" is somewhat vague. In one sense most Internet server boxes do not appear to be an issue - most LAN machines are not directly at risk - but any malicious software currently running in the LAN could exploit this.
Yes.