I've got a fresh install of Debian Wheezy on my laptop, and for security reasons I would like to not have any proprietary firmware running on this system. However, I require iwlwifi non-free microcode for my wireless card ...

Is there any way for me to use Xen or some other form of virtualization to install another copy of Debian in a virtual environment that does have the proprietary Intel binary firmware installed, and can use the wireless card, without having this firmware installed on the host environment?

EDIT: To clarify, I do not need or want wireless access in the host environment - I only want wifi in the virtualized environment.

Maybe. Some newer systems have more direct ways to connect real hardware. Your system and host os and vm app need to support it fully.

What I get from your statement(yet not said) is that you have a wireless device that you want to attach to a server. If it is usb then it can be directly supported in some vm's. Most servers may not have vm support by default.

I am not looking to attach a USB wifi device to a server. I am just trying to use the internal Intel wireless card that came in my laptop, without letting any closed-source/proprietary code interact with the Linux kernel.

But you are correct, regarding direct hardware access. Since I made the original post, I have learned of PCI Passthrough, which is available for both Xen and qemu/KVM ... This will allow me to grant the guest VM direct access to PCI devices, and have the iwlwifi driver running only on the guest VM. The proprietary firmware will still be installed on the physical wireless card by the guest VM's iwlwifi module and will be able to interact with the guest OS kernel, but there will be no drivers on the host VM running in kernel space that will be interacting with the firmware ... at least that is my understanding.

Am I correct in assuming that if I installed iwlwifi on a qemu/KVM guest OS and used PCI passthrough to give this guest direct access to the wireless card, and did *not* install iwlwifi on the host VM, that there would be no way that the proprietary firmware could interact with the host VM's kernel?

I'd doubt the laptop supports pci but you can sure try.

My limited understanding is that like a usb attached to client so does a pci attach. It is almost transparent and for most it is transparent. It should not let the firmware in client affect the host.

There has been much discussion over the decade or so in vm's as to how secure or safe they are. In an odd twist, the more closely the vm uses hardware the more likely that some data issue will be shows to be a security hole.