Please help correctly segment the network

I wish to seperate sections in the LAN
Lan traffic only, Internet traffic only
Server/Workstations have eth0 and eth1 available.

Please see the below diagrams for advise;
1. Current: http://www.kwamsook.com/pub/NETWORK-Public.png
2. Proposed: http://kwamsook.com/pub/NETWORK-Public-Firewall.png

Objectives;
I'm not sure which is the best approach...
1. Use the layer 3 managed switch (port based) for each server/workstation,
eth0 for LAN only, eth1 for Internet only ?
2. Use a dedicated Firewall 'before' the router and assign the
wireless a 10.0.0.0 network to keep them off the lan 192.168.100.0
3. Use another router

The issue I'm concerned with most is using one of the servers for a Samba file share
(LAN access only), but the server needs updating from the Internet as well. My understanding
is that it's best to separate the LAN/Internet traffic with an entirely different subnet.

I wish to prevent a setup where a server/workstation could be accidentally misconfigured
to use Internet traffic on the wrong eth0/eth1 interface.

All server/workstations are Debian amd64 Testing.

Can someone please recommend an approach to properly isolate LAN/Internet traffic for
the proposed network layouts at the above links?

Thank you much.
jennyforme

Thank you dadiggle.

Sorry, I'm not 100 percent clear. Do you mean use all eth1 nics (Internet access) and
connect directly to the Firewall or a seperate proxy server on 10.0.0.0 ?

>"...Option 2 just have the firewall added. Routing is the key here."
? Do you mean 'static routing' ? If so which source/destinations?

>"...Set your ADSL gateway as the default gateway on clients or proxy server and then only set default gateway of the wan link for other clients that you want to go over the wan"
? In the diagrams above, where are you assigning the gateways ?

Thank you for your help.
Jennyforme

dadiggle.

You are avoiding my questions, never mind thank you.

Can anyone else please help me?

Thank you.
jennyforme