All you really need at a minimum would be a router and one or more switches. Firewall device would best handle the edge security and VPN, but could be done on the router as well. Domain vs workgroup depends on the level of security desired first most, and would make life easier managing this number of machines and users. Domain would also provide an additional layer of security for the VPN.
I agree that the domain model is much better to use than a workgroup. You can implement things like RADIUS to support 802.1x or VPN services. Group policies may also become useful in your environment. Actually for your small environment, you likely would be best serviced by investing in the Microsoft Windows Small Business Server platform rather than trying to implement the services on the current standalone Windows 2003 server you have. This website may also provide lots of information for you to consider on your design and implementation strategy.
I assume when you mention VPN connectivity, you are talking about remote access into this network? VPN for internet access is not a requirement. A firewall is needed for internet access. Smoothwall is a decent open source firewall. It may also provide the remote access into your network that you are looking for.