My configuration is documented (at least partially)
here.
dhcpd wasn't that bad, and all of the inter-windows communications must take place via firewall rules on my OpenBSD firewall (quite convenient, IMHO). Since Windows doesn't have to bother with L2 (other than getting traffic to the gateway), I don't have to worry about ARP or any other silliness. My OpenBSD firewall has a fun routing table (ARP table is still the same size it was before, I believe), but other than that the Windows hosts believe they're the only hosts on their physical network. The only real complication is monitoring (iftop -NPi $interface doesn't show ALL NIC traffic (as you'd expect...you have to monitor per-vlan) =)
Pretty neat, since I'd actually lost sleep worrying if my daughter would get her Win7 box infected and that lead to my wife's Win7 box getting infected as well. Now I just need a vlan-capable wireless router (my access point is running dd-wrt (won't run openwrt), but this build of dd-wrt for this exact model has to have ipv6, vlans, and a bunch of other stuff turned off to fit).
Edit: didn't notice jggimi had quoted me with the embedded link to my LQ blog entry outlining this layout. Sorry for the double-link heh.