Ion Classic w/Nomad client and WAP Setup

I haven't actually tried this yet, but I'm trying to piece together a plan before hand I have an Ion Classic at my theatre FOH, and a nomad PC w/dongle rumning as a remote client by ethernet hardwire backstage, no switch involved yet, straight console to pc connection, currently it works like a charm. BUT!

I want to have internet on the pc without the internet connection reaching the Ion. I have an internet hardline coming from IT, I am not in charge of the router, and they have strict protocols to follow because it is part of a school system.

Also I wan to add a WAP so I can use the EOS remote app. The WAP needs to remain completely unavailable and inaccessible to everyone and everything except me and Eos, no internet to anything but the pc from the hardline.

So my plan is to connect a 4 port switch to the internet line, and run patch cables to the pc, Ion, and wap from the switch. Then maybe set up a vlan or do some port blocking in the firewall somehow to keep internet from getting to the Ion and the WAP. 

My question is: is that possible? Am I missing anything? Can anyone advise me how to make this work before I get elbow deep and realize I've done it all wrong or it isn't even possible.

Tanks in advance!