Your theory is a little bit off. By creating vlans, you don’t really segment the traffic. All clients will still have to reach the servers and wan access. This means that by creating vlans, your router will be doing more work. This will cause more bottle necks getting to the wan. Every packet will have to be routed, instead of switched.
I do agree with you on putting the clients into a separate vlan from the servers. You can use non-routable numbers. By doing so, you can setup an internet proxy and limit who get access to the outside world. With the proxy, and a firewall that only allows the proxy server access to the internet, you can gain control over the network.
Your real need is to setup ACL’s (access control lists). In that way, you can block some ports that virus use. You do have to use caution here, though. The reason the ports are open is that some program, probably a Microsoft network application, is using them. Some network applications will stop functioning when certain ports are blocked.
It appears to me that your main problem is a weaker core router. While I can’t suggest anything by name, you can email me offline and I can give you my limited knowledge about setting up this network. The main thing to remember is KISS, keep it simple ………