I would like a Express REST API to be accessible over a LAN.

From what I understand I will need to make some changes in my firewall to allow this access. I managed to solve this checking the second and last mention of Node.js: Server-side Javascript in Windows Defender.

Looking at the supplied image I have a feeling that I am leaving public access open as well (I think in the English version of Windows the columns are called private and public).

What boxes should be checked to only allow access to people on the same LAN and why are there actually multiple entries with the name Node.js: Server-side Javascript?

Whether to check the Private or Public profiles depends on how your network connections (more specifically the local area network) are labeled.

You can check and alter the network type under Control Panel\Network and Internet\Network and Sharing Center.

With the shown setup, at least partial access is allowed from connections labeled as Public (and it is best to label as such any connection where you're unsure of what's going on).

Multiple entries can be caused by different installation paths. You can check the path of the executable by double-clicking on the entry. For more specifc rules, e.g. deciding which ports, protocol (TCP/UDP), source/dest addresses, etc. are allowed, see the more detailed panel Windows Defender Firewall with Advanced Security.

The left checkboxes are for private networks. The right ones are for public networks.