Actually, this is not as stupid as you think. It really depends on the specifications and needs for the students/staff. I.E. student PCs might need a CD-RW/DVD-RW drive for backing up photoshop images because they do an arts subject, however Admin Staff might only need a CD-RW/DVD Drive because everything is backed up to the network attached storage.
Again, not as absurd as you think. Using VLANs you can designate that all student PCs plugged into specific ports are automatically assigned a "student ip address range". Likewise, for staff. This is usually a good idea because you wouldn't want a student impersonating a staff machine and getting information such as payroll or student records.
In a small LAN, it's quite easy to record the MAC address of each PC and enter it into a DHCP server. In fact, it's best practice to record the MAC address, serial number, and slap an asset barcode onto the machine to know that it's the company's.
As for your hardware solution. I believe a cisco VPN concentrator would do, else you could budget on a smaller scale for say a DLINK router that actually does VPN between routers and do it site to site instead of site to endpoint