What is the most sensible and non expensive way to separate the student and teachers areas of a secondary school LAN

Here in Norway, the school authorities recommend that we use two separate networks for students and teachers.

But is that really necessary?

Isn't it enough with a single 2003 server domain, well set up group policies and permissions?  A password on the bios.  Use a group  policy to force student PCs to log onto the domain.  (although I'm not sure how to hinder student access at the dos level)

We have a small school with only 35 computers.  Both students and teachers need access to the internet from one broadband connection.

Since we are not running any web or email servers out to the public internet, is it really necessary to buy a hardware firewall?  They are so expensive.  We just have a basic NAT broadband modem.

If we have two separate networks, then as far as I understand, we will need 2 servers instead of one, and a hardware firewall with 2 or 3 legs to separate the two networks whilst giving both access to the internet.  All of this is going to be much more expensive!!

What do you guys do in other SMALL schools???

I would really value some well informed advice on how to set it up, from those of you in the know.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

question is why do they believe 2 networks are better than  just 1.
also it is possible to set 2 networks with 2 different ip schemes in the same room , its more work and
depending on how you set it up , can either be sperated entirely until you hit your internet connection
or   binded in a way where they coinside together which is a headache to work with.

review your pro and cons

1. cost value
2. overall efficency
3. cost of maintenance
4. possible pros for seperation

(although I'm not sure how to hinder student access at the dos level)
1. bios password
2. remove bios bootable options and boot to C: or os partition  , remove floppy and cd-rom option
3. lock tower
4. disable usb use
5. use gpos to create a more restricted desktop , were all their allowed to do is run items from the
startmenu and maybe save items to my docuements.
6. remove the run command
7. disallow cd-rom access , and startup options
8. 1 month scan for virus ,malware , adaware
9. try to hack yourself into the system with the security in place.
10.a remove right click option
11. audit "success" on  valuable data on your teachers systems. track pc.

theirs more options but you get the idea.
hopefully someone can give you better insight on seperation of student and teacher.
Alistair7Author Commented:
I guess my basic questions are:  

Isn't a single 2003 domain, with one subnet, secure enough to stop secondary students gaining access to teacher computers.

And do we really need an expensive hardware firewall when we have no web server or mail server? (I have used Zonealarm, Adaware, Winpatrol, etc..... )  But only Winpatrol is free for use in a school setting.
It is not necessary to have an expensive hardware firewall: use a cheap PC with two NICs and install Smoothwall on it. It is really simple to set up even if you don't know anything about Linux, free (and Open Source) and has a great documentation.
You can also configure smoothwall to work as a proxy, which would be a benefit in a school to control access towards internet and to speed up many operations.
As for your domain, I think you could simply disable login for the students on some machines, that will be used only by teachers, then protect shares (use subinacl.exe downloadable freely from Microsoft and maybe DumpAcl, also free, from http://www.systemtools.com/somarsoft to have a report of the permissions you already gave). Other than this, use sound group policies and you should be done.
Hope it helps, Elbereth.
Leon FesterSenior Solutions ArchitectCommented:
You can easily use windows 2K3 using group level security add your students to 1 group (user permissions only) and your teachers to another group. Check that only the teachers group have access to their PC. You can check that on the security tabs of your folders. Just also remember your default shares if using Windows 2K on your desktops. In your default domain policy on your Active Directory, you can further secure your workstations by modifying the "Allow log on locally" option. To find your group policy in Active Directory, right-click the domain name, click properties, click Group Policy, click Edit. You should then enter a MMC console screen. Drill down as follows: Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment. Here you will find a whole host of options to restrict user logins and their security across the whole domain. Just checkout the help if you get stuck...Microsoft did some decent work on the help here.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.