In other words, my router cannot prevent this from happening, right? A user can access the malicious website by altering the DNS IP server manually?
You originally asked if you can prevent people with static IP from accessing the internet. You cannot do that. You can however force them to use a DNS server you specify.
I misspoke originally, I just tested and the router will not block their request, it just invisibly redirects it to the server you specify. A form of DNS Masquerading. So the user will think the response came from the server 18.104.22.168 but in reality it was coming from your router (or whatever IP you specify).
Keep in mind, specifying "router" won't do any DNS filtering unless you also specify a filtering DNS server on the WAN page. You need to choose one of the preconfigured filtering DNS servers from the WAN screen under DNS, or alternatively specify one or two custom ones from another service that isn't listed. You'll need to research which one is best for your needs. Each one will typically have a test site you can look up to confirm the filtering is working.
Doing it this way (via the WAN screen) will mean clients can still resolve local hosts, they are still using your router as their server, which is then forwarding non-local queries upstream. So any dns query they send, no matter what the destination IP, will be handled by your router DNS. It then will forward non-local requests to the filtering DNS service you've specified on the WAN, and responding to local queries itself.
The other way to do it is to leave your WAN DNS at the default (learned from your ISP, essentially these servers will be ignored), then on the LAN dns filter page you select one of the filtering servers in that dropdown, instead of "router". It will redirect all DNS queries directly to that server, bypassing your router's DNS, meaning local resolution will no longer work. While this in theory may make lookups a fraction of a millisecond faster, you lose the ability to have DNS resolution on your LAN devices doing it this way.
You can add exceptions at the bottom, for example if you want your own computer to be able to use other DNS servers, add it at the bottom and select "no filtering". So by default you'll still use the router DNS server and the filtering DNS service, but if you do an NSLOOKUP to another DNS server, or manually set the DNS on your computer, you'll be able to bypass the filtering, where others won't be able to.
Whichever way you go, I'd recommend setting the same thing on the LAN DHCP settings screen. If you are using your router as DNS proxy and specifying the filtering DNS on the WAN page, then just leave both DNS servers blank under DHCP and make sure "advertise router" is set to yes. If you are having clients directly access external filtering DNS servers, then put those servers in the DHCP settings and set "advertise router" to "no". This will not change the behavior of DNS filtering at all, it just makes things cleaner for troubleshooting, the DNS server reported by "ipconfig" will match the actual DNS that is responding. And it will actually save the router some effort in redirecting and masking the replies.
You can also enable Aiprotection which offers some additional malicious site blocking features via packet inspection rather than DNS filtering (it may use DNS filtering also, haven't done a ton of research on it but it claims to be doing Deep Packet Inspection). Some people have issues with the fact that Trend Micro can track you and sell statistics to advertisers etc, but since pretty much every website does that, I don't think it is a huge concern. This gives you some additional protection beyond just URL filtering.
If you want to test it out, leave your client set with a static DNS of 22.214.171.124.
Leave dns filter disabled
Do a lookup for a LAN device hostname. It should come back as "non-existent"
Now enable dns filter and specify "router"
Do a lookup for that same LAN device, and it will respond with an IP, and the response will appear to have come from 126.96.36.199, which is impossible since google doesn't know about your LAN devices.