My understanding of the download
package is that its not intended for production. What you are describing isn't production use, but a test. However it sounds like you might have real student data in the system during the test, so you are correct in being concerned about security.
I don't think you need a second firewall for your test. This is a general security recommendation. The idea being that you use two different types of firewall, so that a single type of attack may not work against both (there are other reasons as well that have to do with setting up a large enterprise network which this is not).
On your home firewall however make sure you only expose port 80 of your home system. This will help protect you against random attacks against your XP machine. Windows isn't known for being particularly secure out of the box. Also make sure you are up to date on your windows updates.
Its been a while since I used the xaamp download, in terms of directories you want to make sure that moodledata isn't visible from the web. So you need to find the directory where moodle's php files are loaded and make sure that that that is not the same folder as where moodledata is stored. I am pretty sure the all on one installer does this correctly, but again I haven't looked at it in a long time.
In terms of passwords you need to make sure there is a root password set on the mysql database
for the root user. This is somewhat mitigated if you only allow port 80 access. However try checking to see if phpmyadmin is included in the xamp bundle with
http://yourip/phpmyadmin or http://yourip/mysql
If you get a webpage on either of these and it lets you in without a login our with root and a blank password you have a security issue. Luckily phpmyadmin will allow you to reset permissions and you can reset the root user to have a password. Note this may break your moodle if it's using the root account. If so you need to edit the config.php file to use the newly set password. And generally in production I wouldn't use the root password for my php application's database access.
After that for your test make sure you have a decent admin password set.
Some warnings. Test how well this works before you show it to anyone. You may find that your upstream connection to the internet at home is really poor. This is typical of home internet connectsion which are typically very fast at downloading and very slow and uploading. You don't want to give a poor impression of Moodle by rushing a test setup that doesn't work properly. You may find it works acceptably with a single user and totally falls apart with multiple students loging in at the same time.