I want to use VMs so I can create "real world" scenarios where I get infected with malware and then analyze it. However, I'd need to be connected to the internet so I can download the malware as would happen in the real world, but I also have to prevent the malware from spreading on the internet. What's the best way to have a real world example, but still do it responsibly?

I am not aware of a way around. You either have a honeypot type of network to capture the malware and then transfer the malware to another setting for analysis that is not connected to the internet. In the latest, you can simulate the internet by using pgms like either honeypot or InetSim. However, you can't have it both ways, captured the malware, analyse it and at the same time blocking it from going out. You can obtain live malware from OffensiveComputing if all what you want to do is just analyze the binaries.

I realized since my original post that if I had more memory I'd be able to create another VM to act as a gateway firewall and filter all outbound SMTP and throttle other outbound requests like those who setup full interaction honeypots do, but yeah, InetSim seems like the best choice right now...