All computer in the small office are Windows XP (SP2 and up to date), using peer to peer. One Windows XP Prof acts as a peer to peer "server" for documents and databases. All pc's have Norton 2005 Antivirus. The Internet is used for proprietary financial software updates. No funny stuff. We scan for spyware regularly and backup regularly.
My main concern was the other subnet/workgroup (which is different company/business) seeing or accessing our pc's, since I have no idea if or how they are protected. I don't want some worm or virus from the other group getting into our pc's.
I don't consider the cheap firewalls worth purchasing if you want to run an office or commercial space, the TZ series is not something I would purchase for any customer. I have a strong fondness for WatchGuard and would purchase a X700 for a company/commercial site, but they run about $1900.
Unles you want to do HTTP filtering, attachment removal (on inbound SMTP to the mail server), etc... You can get by fine with a cheap NAT router in most cases. You really need to monitor the Linksys unit logs (use Wall Watcher).
I've got a number of customers that use the BEFVP41 unit for the IPSec tunnels to the home office, none of them have port-forwarding, but none of them have been compromised.
If you do the poor-mans DMZ/LAN using double routers, you won't have much in the way of problems - again, the router is not a firewall and has nothing to stop users from running malicious code on web/ftp sites or from running infected email.
If you run your own email server, make sure that you remove any attachment that can't be virus scanned or that could be executed before it gets to the users email box (GFI and Symantec make good products for this).
If you have a web/ftp server, make sure you lock it down - follow all the MS directions (or for the OS you use). I use File Zilla Server for FTP as I don't like the limited configuration options that you get with IIS on Windows.
What we need to know is what are you running inside that could be compromised and what services you allow your users to use - what OS, what virus protection, etc....
We setup a multi-tenant office space (2 floors, 6 different companies), we got a T1 for the building and 16 public IP. We setup a single Linksys router for each, giving them each a PUBLIC IP, but no inbound forwarding and none of them have the admin password to the routers (and they are locked in a closet where only the building owner has a key).
If you want to have both groups completely isolated from each other, you need two IP, one for each router, like this:
The only way the outer LAN can get to the inner LAN is if you open ports on the inner LAN. The inner LAN (Lan 2) has no unsolicited inbound means of access - so unless your LAN 2 machines contact LAN 1 machines, LAN 1 machines can't talk to LAN 2 machines.