when a vapp network which has nat enabled is deployed, I think we automatically check if there is a NAT on the primary NIC interface. if not, then we auto-map one. In this sense I think this is normal operation during the deployment phase.
you might be able to create 2 vapp networks, one for internal and one for external, do the manual mapping for the one VM and then don't even connect the other externally.