Helping people with computers... one answer at a time.
It's common to have computers that are used for sensitive things sharing a network with less trustworthy users. Understanding protection is important.
We're a family where the adults use the Internet for serious reasons but we can't take a chance on having our children screw things up - intentionally or by accident. How should we set up our home network?
Normally, we think of threats as being "out there" on the internet. The problem is that not all of them are. As much as we might know and do to protect ourselves, sometimes the threat is nearby, right in our own home.
In the children's bedroom.
The good news is that you can protect yourself from the kids. You just have to look at your network a tad differently.
First we need to group the computers in your home into two distinct buckets:
Computers you trust. These are the computers you control and can safely assume are being used by individuals who understand the basics of keeping a computer safe on the internet.
Computers you don't trust. These are the computers that are being used by people who are less computer savvy, don't understand safety, and are likely to do things that they shouldn't, resulting in frequent infections of malware.
In a nutshell, each of these groups needs their own network.
I've talked a lot about routers and how they protect you from the internet; the threats "out there". A more simplistic way to think of it is simply this: one side of a router is trusted - the local LAN side where you plug in your computers - and the other side, the WAN or internet side, is not. Normally, we plug that other side into the internet, but it doesn't have to be that way. You can use this concept to protect yourself from that other network in your own home as well.
Now since we're going to assume that there's a group of computers we can actually trust (I'll call it the "parents" side), and a group we cannot (the "kids") the risk we're looking at is one sided. We need to protect the parents from the kids, but not the other way around.
That actually makes life a tiny bit easier.
I'm also going to assume that your ISP is only going to give you one IP address, as is typical.
You'll need two routers. Here's the configuration:
"Router A" protects everyone from the internet. The local side of router A, or the local network or LAN, connects to the kids' computers, and gives them internet connectivity, and if appropriate, connectivity to each other.
But from the parents' computer, Router A's LAN is not trust worthy. It may not have direct internet threats on it, but it does have threats - namely the kids. So we treat that as unsafe and use a second router to protect ourselves from that.
"Router B" protects the parents' computers from Router A's LAN. The kids' computers on router A have no way to independently connect to the computers hidden behind router B. That is the protection of a NAT router, and that's what's protecting the parents from the kids.
About the only recommended configuration change to the routers would be to have them assign IP addresses from different ranges. Perhaps one might assign from 192.168.0.X and the other 192.168.1.X.
In this scenario, the kids are not necessarily protected from the parents. In fact, with proper configuration, the parents' computers might well be able to connect to the kids' computers. (This can get complicated and can be fragile, so I'm not going to get into details here.). The important point to realize is that ultimately the protection is one-way in this configuration. Parents are protected from kids, kids are not protected from parents.
For absolute bi-directional safety, protecting both parents and kids from each other, you'll need three routers. You can see that scenario play out in How do I protect users on my network from each other?.
Also note that computers that share a network are not necessarily protected from each other. The parents' computers, for example, are within a trusted network, and are not protected from each other.
Finally, a comment I expect is that this is overkill, and why not just use a good software firewall on the parents' computers?
In my opinion, the protection of a NAT router is absolute. By definition, it prevents network based threats from traveling from the untrusted side to the trusted side, simply by virtue of the fact that no computer on the untrusted side can connect to a computer on the trusted side. (Unless you explicitly configure the router to allow it, of course.) Software firewalls offer no significant additional protection for incoming connections, take up resources, and can themselves be compromised by malware.
A NAT router based solution is inexpensive, and effective.