We are planning something very similar to this on our campus. We have a cisco 3550 as the central router. I have divided the client network into several security zones. Each zone will get its own VLAN. We will use access lists for each VLAN allowing connectivity to the central servers, (the servers have their own zone), and the outside, but denying access to the other zones.
With this model, users will be able to “see” only the other users in their own net, the servers, and the outside.