Good solution for training lab in branch office

I need a cost effective solution that provides a reasonable amount of
security.

The environment is a remote office using a cable Internet connection
with a couple of public IP addresses. The site will contain two W2K3
domain security servers. One server will support our company domain
and the other will support a training lab domain that is used by one of
our suppliers (I control the lab hardware/software but the supplier is
responsible for those who use it). I need to have a site-to-site VPN
tunnel and Internet access for the company domain, but only need
Internet access for the training lab domain. I have a Cisco PIX 515UR
at the corporate office as well as a Cisco 3000 VPN Concentrator. In
terms of spare equipment, I have a Cisco VPN3002 Hardware Client. The
training domain will support up to a dozen people and the company
domain will have about the same.

I have never set-up a hardware site-to-site VPN before (or a split
tunnel) and am not sure how to lay out the network. I am somewhat
concerned about preventing the lab domain from gaining access to our
company domain - but it seems low risk. I need to buy a firewall
(preferably Cisco to enhance interoperability with existing
infrastructure). If I can use the 3002 for the corporate VPN tunnel,
then I can buy an inexpensive PIX (501 - 50 user) to handle the
Internet traffic for the remote office people as well as the training
lab folks. Another solution is to run all of the "company" traffic
back through the 3002 and just have the lab on the 501 (I just hate the
thought remote offices using corporate bandwidth in both directions).

Any thoughts are appreciated.