Using the Windows Firewall should prevent users from accessing your
computers but if the Windows Firewall becomes disabled or misconfigured then
your network is vulnerable and your non encrypted data can be sniffed with
or without the Windows Firewall. Therefore I personally could not recommend
that solution. There are wireless devices that isolate users from accessing
each other but you will not find them at Best Buy. Cisco or 3Com would be
manufactures to look at for something like that. Otherwise get a couple of
IP addresses from your ISP and then have two wireless routers that are
physically secured - one for you and one for guests. If you go that route be
sure to use WPA with at least a 15 character complex passphrase to encrypt
your wireless network so other users can not access it. As far as guests.
You would need to warn them that their computers are not secure from other
users on the network, that they need to use their firewall, that their non
encrypted data is not confidential, and that you can not be responsible for
any data loss of theft of data if you are going to be providing them with
common access via a simple wireless router.   --- Steve

To the last question; "Yes!"

What you need is a second NAT router. Connect one wired LAN port of the
modem/w-router to the WAN port of the new router. Set either router LAN IP
address to a different block. If you leave the W-LAN at 192.168.x.x, your
guests can figure out how to associate to the LAN. Change your second
router to use something like 172.24.42.1 with a subnet mask of
255.255.255.0. That will give you a range of usable IP addresses from
172.24.42.1 to 172.24.42.254. You will still be able to reach the Internet
from behind that second router; but your guests won't be able to reach your
LAN behind that second router. (That range of reserved IP addresses only
runs from 172.16.0.0 to 172.31.255.255; keep it within those limits.)

Frankly, though, I would be inclined to set up two new routers; one
wireless, the other wired only. Use the modem/router to wire a connection
to the WAN port of each of the second routers. Don't allow wireless access
on the modem/router LAN. In fact, use a subnet mask that would restrict the
number of devices on this "outer" LAN. Something like, 192.168.0.1, with a
subnet mask of 255.255.255.252; that should restrict your addresses to just
192.168.0.1 on the wired only router WAN port, and 192.168.0.2 on the
wireless router WAN port.

Keep the 172.24.42.0/24 LAN wired only. Set up the second wireless router
on 192.168.x.1, where 'x' is not the same on the new wireless router as it
is on the modem/router. Completely disable wireless on the modem/router.
Zip, nada, zilch. Don't allow any wireless connection to that device at
all. This will both create two completely isolated LANs, and it will also
mitigate the chance of W-LAN guests sniffing the wired LAN packets.