What type of router are you using. The simplest way may be to restrict access at the router. Even a Linksys router can filter by IP or MAC address. It could also forward port 22 to your computer, but I would recommend changing the port used by your ssh server. This will reduce the number of script kiddie brute force attacks against ssh. Also, as you may have done already, disallow root logins and use "AllowUsers <yourusername>" to disallow login attempts from all other users, including system users. This isn't perfect if a user changes the MAC address on their NIC deivce. You will also need to lock down the router with a username/password to keep users from changing the access controls. ( I'm not assuming you didn't realize that. )
For some general samba networking solutions, you might want to look on the samba.org website for the book "Samba 3 by Example". One of the first examples is a server setup for a non-profit office. They have a simple share setup that anyone can write to, a readonly document share, and a printer. The configuration on both the server and for various Windows OSes are covered.
On many distro's, these books are included with a samba-doc package and installed to /usr/share/doc/packages/samba/.
Something else to consider is to use samba swat to configure the server. On some distro's you might only need to enable the swat service in a gui xinetd service configuration tool. In other's you my need to add a file called swat in /etc/xinet.d/.
# SWAT is the Samba Web Administration Tool.
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/swat
only_from = 127.0.0.1
log_on_failure += USERID
This will allow root to use swat from the server itself. To be even safer, you could enable the service before using it and disable it afterwards. In this situation, being too paranoid may not be necessary. Sometimes, security is a good part social engineering. Being very anal could generate ill will which you wouldn't want to do in a volunteer organization.
You access the swat service by pointing a web browser to http://localhost:901
. You can even use "ssh -X username@server" to log into the server and then start the browser with this IP address. This will require the browser to be installed on the server as well as a mimimal amount of xorg libraries installed as well. ( Some people don't install any x.org or gui programs at all. ).