I am sure we all have gone through this situation at least once in our "technical life time". The biggest concern of building or creating a lab is to make sure it is not going to interact with production systems. The possible or available method is to create a separate subnet using some sort of hardware solution. Normally most the systems administrator or engineers are not familiar with creating a VLAN or LAN with internet connectivity. We always have to ask networking folks to do this job. We all know how hard it is to deal with those folks (: –). In my opinion, we need to have a lab which is separated from the production network using hardware of software solution. A hardware solution is always expensive and it not easy to configure. Here is a simple solution you can use to create an isolated lab. "The" ISA Server. It is very easy to install and configure. Allow only necessary ports to and from your production network. For example, if you want to RDP into lab servers from your production workstation, allow 3389 only. By default the ISA Server will block all the traffic using its Default firewall rule. Also, ISA Server will act as a router between the Lab and your production networks. I think it is very simple solution that any system administrator or engineers can implement.