So access to unsecured to secured not optimal? How about adding in another router, and just turn off the wireless on it? Access to off to public and private?
You should be able to get a decent quality non-wireless router for substantially less than one with wireless capability, so no need to get a wireless router and shut one of the ports off.
Still, my thought is that since that invovles more money/equipment to see if just the two routers will do what you need it to do. There are even routers out there with dual radios that can run two networks at once - so you can run an unsecured open point and a secured private point using the same piece of equipment.
Even with two different routers, you should be able to set up QOS (Quality Of Service) to prioritize your private router's traffic. With something that's actually 'Enterprise/Business', you should be able to set up rules such that the Public side only gets limited access to the internet, while the private gets full access. Well, except to the public side, because that's blocked.
Valid ranges for NAT: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255
As long as your NAT ranges are within there, you won't be duplicating/blocking any of the internet.
On a final point, if you're going to run any servers on the private network, with the two layer router idea you'd need to do port forwarding twice - once on the private router to get the port to the computer, and on the public side to get the port to the private router.
I have to do this right now because the phone company sent me a combined DSL modem/router, while I run my own wireless router.
DSL modem/router - basic 4 port 100mbit switch, no wireless, basic configuration options.
My router: Dual radio 802.11n, 5 ghz capable, capable of the dual networks I mentioned, gigabit wired switch(4 port), all sorts of QOS fun. Oh, and I set it up so that to configure the router you need to be on a wired port, plus have the password.
I haven't tested, but I'm pretty sure I could configure one of the wired ports to be 'isolated'.