Separating traffic in Office

One approach would be to have users grouped under VLANs and you can assign the ports accordingly. If you want different security rules depending on the user groups, you can also use the zone element of the ASA to isolate the various group. You can then redirect users to certain interfaces on the ASA device and define rules for the give zones. Just a thought.

Yes i was thinking about the design with the separate VLANs, now if i assign their port to a certain VLAN, would i then need a cisco router (as their gateway) plugged into the Cisco 3550 switch?

What version ASA? If it is 5510, then you have ability to setup VLAN's on the 3550 switch and trunk to the ASA, then create sub-interfaces on the ASA to make virtual networks for each of the internal "customers"
If it is ASA 5505, you may need a license upgrade to trunk, or use physical interfaces for "dmz" network. Basically you want this additional network to be a DMZ with no access to your internal network, nor do you want your internal network to access theirs.
Long winded, I know, but yes, you can attach a separate router/firewall to the SMC and the switch with 2 different vlan's on the switch.

Although you could do it with a router and have ACLs on the router, I would suggest having VLANS terminate on the ASA as this would usually be a simpler configuration.

Unfortunately I have the ASA5505 with base license.

Would a linksys wireless router be able to be the gateway for the new vlan?

Sure.  That was the point of the paper I sent you.  But I don't think I'd necessarily call it a VLAN unless that's what it is.  I'd call it a subnet for sure and then maybe a VLAN if you set it up that way in the ASA.  But the latter isn't necessary.

if your 3550 has L3 capabilities, then you could segment your network using VLANS on the 3550 and use access control lists on the VLANS to restrict traffic.

If you could post a copy of the config of the 3550 it would be useful

Fmarshall, thanks for that pdf. So i plan on putting the other tenants on ports 35-45 on the 3550 which the ports designated for vlan 121. On port 46 i will connect the Linksys router assigned to vlan 121. For the router, the WAN gateway would my Cisco Asa inside address right?

Why not plug in a switch or hub directly into the Comcast modem and connect the other office's network? This would solve the problem AND you wouldn't need to change any configurations on your ASA or add VLAN tags on all the ports. I would keep it simple and would want to keep them as far off my network as and with as little work on my part as possible. Your network would also be protected behind the ASA AND with none of their traffic passing through your internal network.

If they have a virus infection, are you responsible for the cleaning of the infection, not to mention the added risk and resulting work of your computers being infected.  

I would love to do that, but based on the location of the patch panel they do not want to do this.