As it should:
a separate router at the edge, servers and all components that work with the outside world directly - in a separate DMZ zone, between the DMZ and the internal network - statefull fw. On the windows ISA proxy for internal users, direct routing between office PCs, DMZ and the outside world is prohibited. All this economy is desirable to reserve.
How can aka a budget collective farm option:
One Linux server, aka stateless fw, preferably a proxy on it, nat is less desirable. Throw out the Windows server altogether. Separate servers with a vlan from users. Direct routing between all components is allowed, accesses are cut by iptables.
How will it be.
The local admin will go to the management and say that I don’t know how to manage all this, two more people are needed to manage this economy. he will also help the management to draw up the TOR and the acceptance test methodology (if he even knows what it is). The management will be imbued and put you demands under his tune.

1. I never understood people distributing the Internet and routing to Windows Server. Even Kerio on Windows caused terrible heartburn.
2. Ideally, the internal network should be divided into vlan, servers should live separately, office computers should be separate (sometimes the office is divided into departments on different subnets), wifi guests should also be separate and all this should be flavored with a good portion of acl. And on servers rigid division and control of access.

1. Inappropriate. It is easier in all respects (hardware, licenses, support) to make a linux-box router. There are a lot of manuals on the net on this issue, there are not many cases, any administrator can handle it. There are also special distributions with a web console, it will not be more difficult to manage Windows. and there are much fewer vulnerabilities than with a Windows server.
2. Necessary. The network perimeter is now very blurred, and not only a virus can be a threat on the internal network, but also the user himself or the one who pretends to be one. Everything that users do not need should be closed with a firewall or disabled.

1. It all depends on the specific task and skills in administration, if it is possible to implement it on unix-like, then it is better to do the router there, if only because opensource, there is no additional load on the machine except for fw, within the local office on unix- router is fine for a computer with 1cpu/512RAM. in the case of windows-gate, you need a license for windows Server and you must comply with the hardware requirements.
2. Necessary. Ideally, there should be a network security policy in which ACLs are declared on ports for specific machines, accounting can go, for example, on ports 8080,8090 to bank-client domains, etc., but the manager does not, this is a policy to the outside world, in the internal network you also need comply with the security policy, technically, of course, you can plug in smart switches everywhere and hardcode mac-ip, and issue ACLs on switches - this is up to protection against attacks with a compromised OS, also set up security at the switch level - spanning tree, protection against arp-spoof, unicast / multicast storm, but the administrator can also configure domain firewall rules, which in general will be a positive solution for traffic differentiation, you can also sniff suspicious IPS / IDS activity on the local network.