How should I isolate computers with different roles on a network
Solution 1:
Consider using different VLANs for each role, and using a firewall to pass traffic between them. The firewall will, of course, be configured in such a way to only allow the appropriate traffic through.
Solution 2:
Split up the two networks completely and put a firewall between them (or just isolate the process network). There is no reason to expose process systems like that.
Once this is done you have to consider how to access the databases in the process part of the network. There are many solutions (port forwarding, SQL proxy etc) but my personal recommendation would be to setup a new SQL server, dual home it both in the process and the user network and replicate all the data users need access to to this host. Then make sure you lock down the SQL server as far as possible.
Solution 3:
If you don't wan't to start doing some fancy networking, you can do Private VLANs. Higher ends Cisco switches can do this.