The simplest way to do this is to put an explicit deny statement with a destination of your inside subnet inbound on the DMZ interface. For example, if your inside subnet is 192.168.0.0/24, the ACL on the DMZ interface would look like this:
access-list dmz_access_in deny ip host 192.168.1.38 any access-list dmz_access_in deny ip any 192.168.0.0 255.255.255.0 access-list dmz_access_in permit ip any any access-group dmz_access_in in interface dmz
The above ACL would prevent 192.168.1.38 from getting to the outside, stop all hosts from accessing the inside subnet, and still allow all remaining access to the outside.
You could also do it using an outbound ACL on the inside interface, but this is much less commonly used. The ACL would look like this, which would deny any traffic from leaving the ASA on the inside interface that was sourced from a DMZ host, but allow all other traffic:
access-list inside_access_out deny ip 192.168.1.0 255.255.255.0 any access-list inside_access_out permit ip any any access-group inside_access_out out interface inside