<disclaimer> I'am not an expert at this </disclaimer>
1, yes that would be true, unless of course somebody manages to break into your network and reconfigure things, but then thats another matter altogether.
2, yes and no. You could do it that way but then you might have problems with the amount of NATing your doing.
Instead of 3 routers you could go a number of ways, depending what hardware you have at you disposal.
Method A,
! this may still give you NATing problems !
In this method you port forward from router_A to the webserver,
Then all you other computers sit behind router_B which should
keep hidden. Both routers are standard consumer thingies
Code:
[internet]-<>-router_A
\-<>-webserver
\-<>-router_B
\-<>-your_computers
Method B,
This method uses a router/firewall that has 3 zones,
red = internet;
orange = publicly accessable network;
green = your private network.
This can either be a purpose built device or a computer configured in the relevant way to behave like a this (see >
http://www.smoothwall.org/)
Code:
[internet]-<>-(red(WAN))-router_A
\-(orange(DMZ))-<>-webserver
\-(green(LAN))-<>-your_computers
There maybe other ways to go about this which i am not aware of. Personally i use method B.