I have a series of related questions about transforming my current
peer-to-peer home network to a client-server network, and in the
process, eliminating any current security problems, and preventing
their reoccurance.

First, I want to know whether it's possible to know whether my three
current Win XP Pro machines (two desktops and a notebook) are
compromised/backdoored, and if so, how to find out.  They've all been
on a peer-to-peer ethernet network with aDSL via a ZyWALL 1 firewall
acting as DHCP server, and the notebook has been on various
more-or-less unsecured networks in the US and Mexico.  The two
desktops have always been behind the firewall and have run at least
Norton AntiVirus, and the notebook has always run Norton Internet
Security, and all three are now running Norton Internet Security and
Adaware.  However, one of the desktops is used by my wife and two
housemates, none of whom are particularly sophisticated regarding
computers (and occasionally download "cute stuff").  I recently
replaced the ZyWALL 1 with a Watchguard Firebox X5 (also acting as
DHCP server).  I made the firewall the DHCP server so taking the
server down wouldn't leave the network without one.  Of course, I
realize that having the aDSL router or hardware firewall as DHCP
server rules out the possibility of using ISA Server because its NICs
won't have fixed addresses.

I want to know whether my current machines are compromised because I'm
planning to introduce a high-performance server to the network -
primarily to run SQL Server to serve large (50-100 Gb or larger)
tables to Access on my desktop, and also as a file server and backup
manager (ongoingly to Firewire drives and daily to packet tapes) - and
I don't want to risk compromising it.  Much of my data is highly
confidential and covered by judicial protective orders.

I'd also like to use the server from my notebook via VPN when I'm
travelling, if that can be done securely.  The Watchguard Firebox X5
supports apparently-secure VPN, but I don't know enough to compare it
to other hardware firewalls, or to software firewalls such as ISA
Server.

If it's ultimately unanswerable whether my current machines have been
compromised, I'm planning to assume the worst, and to totally wipe
them all by reformatting their hard drives and reinstalling Win XP Pro
and apps - although I realize that'll be a pain, and would annoy my
wife and housemates.

Before doing all that, I'd obviously need to backup data files from
those machines for reinstallation, and I plan to do that via external
hard drives (making two copies of everything, of course).  However,
I'm concerned that a hypothetical hacker could have set up some
mechanism to compromise machines via external hard drives, analogous
to boot sector viruses.  I'm going to be running Symantec AntiVirus 10
on the server (eventually protecting its clients), and I could also
put the old data files there - either via the external hard drives, or
via the network - and depend on it to find anything nasty before I
copy what I want back to the clients.

I'm assuming that transfer via external hard drive is safer than
transfer via network, because I'm sure that compromised machines look
for new machines to compromise.  Although I don't know how well
Symantec AntiVirus 10 blocks that process, I suspect that it's harder
to do than to detect infected files.

The last question is how to isolate the house desktop and my notebook
from the server and my desktop.  Is that something that Symantec
AntiVirus could handle?  Would Norton Internet Security help, or
conflict?  Is that something that I can only do with ISA Server, using
additional NICs, one for each subnetwork?  If so, should I ditch the
Watchguard Firebox X5 because it and ISA Server would fight?  And how
hard is it to set up ISA Server properly to do that?  Alternatively,
can one put hardware firewalls (such as my surplus ZyWALL 1) between
network segments?