Oh, I'm well aware of all those settings, both in the router and within W7, itself. Sure, it'll work. What you suggest is entirely configurable and generally reliable. I've done it myself.
But I think you hit on something with "you have to be doubly sure..."
No. I don't.
As long as there's a connection, there's a possibility, however unlikely, of a violation or incursion. So when something goes wrong, there's always that lingering question-mark if it's net-related. But with no physical connection, that question is off-the-table.
I send and receive engineering data by email attachment and conduct design review webinars.
By having no physical connection, this ensures all other customers have their data offline 100% of the time - they like that - with only the customer, and that specific job, exposed.
So sure, what you say will generally work. And perhaps what i do is overkill. But there's other factors afoot.