Hi guys im new here and tried to read all the previous posts in order to find an answer to my question but to no luck. Forgive me if im breaking any rules/ediquite. Im not sure where this post should go

Im dealing with a client who has one router bridging a Telstra Bigpond Modem (Broadband of course). The routers NAT is enabled. The routers DHCP server is enabled. The DHCP clients are two windows xp machines. Lets call these machines Box 1 (B1) and Box 2(B2). Both B1 and B2 are connected via 10/100 ethernet to the router . Both machines are full of spyware/adware threats

Orignally i was contacted to clean both machines of these threats. Then i was told to only clean B1 . I said yes it is possible with new hardware to clean and isolate B1 with a new router (2 x ip vlans ,one machine on each) . I was told after this that there was to be no new hardware

Once i have cleaned B1 (of adware/spyware/trojans) i have to isolate it from B2 and still allow B2 to
access read-only shares on B1. Without knowing what specific osi layers the spyware/adware infect on iam having difficulty. I am thinking my only option is to enable Microsofts Firewall (both machines are protected behind the Gateway NAT already) on B1 . Is it possible to create one rule to block all traffic from B1 TO B2 (and vice versa) excluding port 445 (read only shares). Will spyware/adware (from B2) still be able to infect B1 via port 445?


*The router mentioned is very basic, and is not capable of advanced features ie DMZ