How to secure 3 computers on a "shared" network hub/switch?

easiest way?  buy a network switch and put ONLY your computers into it.  Of course, that doesn't stop someone else from plugging in.  You can try to create new users and get away from the XP "friendly" networking which provides virtually no security, but frankly, this can be difficult to get and keep working properly.  Best way though would be to go get yourself a server running Small Business Server 2003 R2.  That would get you away from the workgroup style networking and instead put you in a domain which has much greater security controls.

I would assume you have NTFS partitions and not FAT, then you can protect your files by NTFS permissions, or when you share your folders you may protect them by using share permissions.
check this article.
http://support.microsoft.com/kb/304040

Sorry guys, but another network switch or router will not be effective protection.
He needs a firewall, a cisco 501 4 port would be good for under a grand.
Disabling services works, but he may need them himself...
I would only allow internet traffic via the firewall and block all other ports...
port 80 and 443 should suffice for starters...

What is your relationship to the other computers (other than being on the same floor?) If you do not have a need for the other computers to ever access your machines than you do need a firewall.

Depending on how you use the internet, you could get by with a home-class broadband router/firewall. Or your data may warrant an enterprise solutions along the lines of a Cisco ASA or Sonicwall device. Do you need to host your own servers (email, web, etc. ?)  Do you want remote access to your machines?

By spending some time and detailing how you want to use your internet access we can give you better recommendations.

debuggerau, he doesn't NEED a firewall... what he needs is a consultant to assess his situation and help him determine what level of protection is appropriate.  There's really too little information here to give anything more than basic recommendations.  

Ok guys, maybe your right, he COULD just use a router and use access lists to port block, but that wont give him the peace of mind from intrusion detection, logging and activex/java filtering, plus VPN access to work if he liked.

But as long as he has a firewall configured in XP, it may be secure, assuming no one ever turns it off...

And leew, whatever.....

HBustan: I wouldn't dare to disagree with your opinion, you're definetly right. But frankly speaking - I wasn't assuming that we will talk about deploying HW firewals, VPN gateways, multifactor authentication and all of that hi-tech stuff just because of 3 very benevolently installed workstations. I was thinking about some reasonable ratio between cost and security. There is always a way in and the only thing we can do as security specialists is to mitigate the risks and at the same time try to avoid "security by obscurity".
Maybe I just misunderstood the scenario, I thought it's just 3 not-so-important office machines, where the asker doesn't want the others to be able to access the files by simply clicking on a computer in network neighbourhood.
My intention was not to say "you're all lamers here and only I'm the enlightened one"...I was just wondering how deep did all of you get in that discussion, it just seemed unapropriatelly to me. Take my apology for that.

All 3 computers have NTFS.  All 3 have the ENTIRE (drive C) hard drive as shared.  Only 1 computer has a laser printer.  The other 2 computers print to the shared printer.  The IP address that we are assigned (by the common router) is somthing like 10.1.10.1.

The building owner said we could use our own hub (note he did not say router or switch).  That would be great as long as we could still get our "free" internet.

I don't think the other companies are aware that there security is poor (since I was able to see the contents of one of there hard disk drives).  

We must have file and printer sharing enabled.  The Windows firewall is disabled.

In summary:  All three computers have to "see" each other and access each other's hard disk drive and share a printer.  All three computers have to go out to the internet.  I don't want any other company to access any of our hard drives (or shared printer).

Thanks for your help.

I have a generic 4 port hub/switch.  It's not programmable.  Would that work?  I also have a linksys router WRT54G (that was used in the old office building).  It is programmable.  Would that work?

Note:  The building manager created 20 offices on this floor.  He bundles phone, network and Internet together and leases to many companies.  Since the companies (including mine) is running peer-to-peer network, we see each other(s) workgoup and computers.

1. Again - no problem with file sharing, but why entire disk? Make one shared folder on each computer and if you have 3 users for these 3 workstations, create 3 user accounts for all 3 users on each machine.
2. Remove Everyone from share permissions and instead of them put here either the group Users or Authenticated users or particular user accounts, like Jim, John, Sally. Give them required pesmissions - read and possibly modify.
3. Go to security tab of particular folder, make sure there is not Everyone group, and put here the same like in share permissions.
4. Have the windows firewall enabled, just configure the exception for file and printer sharing to be allowed.

Given the scenario I think this should be ok. If you are affraid of being attacked by skilled hacker putting all his effort to break into these machines, the battle would be lost for you even before it starts. But for normal operation I don't see any problem.
Of course, if somebody uses a sniffer on the same network segment, he would be able to easily capture your SMB traffic, thus being able to break all the passwords.
Consider implementing IPSec on your three machines or configure the local policies on each of them to use stronger authentication than the old NTLM.

Ok, I'll give it a try.

I have no problem with a d-link, linksys etc.. router providing nat for your protection, its minimalist and will provide no protection for your staff, or help them to avoid malicious content over the internet, and depending on their habits, may compromise your computers.
But it will make your PC's invisible to the other business when they look into the computer browser.
I normally don't comment  if others have adequately answered the question, and I believe DistinctiveIT make the first correct reply, but I didn't see that one until posting...

The IT person, supplied by the bulding management installed the Linksys router.  However, When I start Windows exploer and click  
\My Network Places
\Entire Network
\Microsoft Windows Network (I still see other workgroups from other companies)
\MSHOME
I see other computers in MSHOME, except my secretary's computer.  It's missing from the list.
There network person will look into it tomorrow.

I would assume the IT person installed the router incorectly. Perhaps he connected the outside line into a regular LAN port instead of the WAN port. Only your three PCs should be connected to the LAN ports.

OMG, looks like those outsources auto mechanics that took the computer power training course over the web are getting another call out fee, who said they weren't cunning..

My IP address is 10.1.1.71, other pcs:  10.1.1.70 & 10.1.1.72
subnet mask is 255.255.255.0
Default gateway is 10.1.1.1

The DHCP Server is 10.44.0.1
The DNS Server is:
12.127.16.67
12.127.17.71
216.73.128.2
216.73.128.3
No Wins Server

I can still see other companies computers in the MSHome workgroup.

I told the building's IT person, that when I look at my "Microsoft Windows Network" in
Windows explorer, I should only see my 3 computers (that belong to my company)
and be able to browse the Internet.

Yes, well, I'd bet that the other computers don't have firewalls either.

If its all working, you may want to block some ports so that your computers don't access the other unprotected PC's and get infected, block 139. 455, but that is completely optional...

I assume your router us 10.1.1.1 and your Internet IP is not 10.1.1.x range

If this is the case then you should be fine; otherwise the configuration is incorrect

If you would like a quick and nasty test from the outside, the 'shields up' test from
http://www.grc.com/default.htm

just an FYI . You may want to check that your PC isnt automatically connecting to any unsecured wireless networks that are a part of the same buildings network.

Even though I can still see other companies computers in the same workgroup (after my router/switch) was installed by the building IT person, she came by the office today.  She said, there was nothing more she could do.  She suggested we use passwords (whatever that means).  So I am going to try the solutions you guys mentioned above.  Here I goooooooooo ....

Wow, what a useless IT person. Good luck!

I conducted an experiment.

Using the Linksys BEFSR81 router, this is what has happened:
I went to the Linksys web site to see about "connecting" two routers.
It gave two scenarios.

Hardware configuration:
Router 1 - 48 ports and Internet access
Router 2 - my router

Scenario 1:  Plug a RJ45 cable into a port in Router 1, and the other end of the cable into a port on Router 2.  I tested this.  But was able to see other companies computers.

Scenario 2:  Create a different LAN IP segment.  Change the local IP of router 2 to 192.168.2.1 and connect an RJ45 cable from a port on Router 1 to the WAN port of Router 2.
I tested this.  I did not see other companies computers on my network, plus I still had access to the Internet.  

Here is my question,
Since my real IP address is 10.1.1.71, all I should have to do is change the local IP address of Router 2 to 10.1.2.1.  This would put me on a different segment.
Enable DHCP on Router 2.  
Router 2 should assign:
Computer 1:  10.1.2.100
Computer 2:  10.1.2.101
Computer 3:  10.1.2.102
This should result in my computers being on there own network, and allow Internet Access.
Is that correct?

Okay.  I will try that after 3 pm today (pacific time).

Here is the complete scenario I will implement this afternoon.
Does it appear to be correct?

My IP address currently 10.1.1.71, would change to 10.1.2.71
The subnet mask (255.255.255.0) would not change.

Default gateway, currently 10.1.1.1 (building router 1)
would become 10.1.2.1 (my personal router 2)

(then I would run a cable from a port on the building router 1
to the WAN port on my personal router 2).

The DHCP Server, currenlty 10.44.0.1 would change to 10.1.2.1

The DNS Server, currently:
12.127.16.67
12.127.17.71
216.73.128.2
216.73.128.3
would not change.

It worked.  I change the routers IP address to 10.1.2.1.  Enabled the DHCP Server.  My computer now has  an IP address of 10.1.2.100 (the other two computers, 10.1.2.101 and 10.1.2.102).  All three computers also have access to the internet.  

I  ran windows explorer and checked the Microsoft Windows Network.  I am the only workgoup called MSHOME.  There are no other companies computers nor workgroups appearing in the list.  

I called the building IT lady and told her I am using subnet 10.1.2.x.  That she should not give that subnet address to anyone else.  She should not have anyone connect a cable to the open ports on my router.

I do have one question though.  When I changed the routers ip address to 10.1.2.1 and clicked save, it changed fine.  However, since I did not change the routers password (which is the default for Linksys), I was not able to go back in the change the password.  

Prior to changing the routers ip address, i could type 192.168.1.1 and access the router.  Now, if I type 10.1.2.1, it says, page cannot be displayed.  Which means, I cannot access the routers menu to change the password.  Any solution for this?

I did not change the subnet mask.  I left it at 255.255.255.0
I only changed the router's ip address to 10.1.2.1
(unless the subnet mask changes by itself when I changed the router's ip address).
I'll check the subnet mask on Tuesday (Monday is a holiday).

And the Oscar goes to?  There is so many to thank.  All is working great now.  In Navy terminology: Brazo Zulu (Well Done).