1. Using your proposed approach, make sure that the router that you plan to get has outbound address filtering. This can not simply be "port" filtering. A quick spin thru Linksys, Belkin, and Netgear sites for a couple of routers all showed only "port" filtering, so I'm not certain what make/model to suggest -- perhaps someone here can suggest one. With "address" filtering, simply block as a destination all addresses on your 192.168.1.x segment except for the router. I'm not you'll find a cheap solution here since most residential routers are all based on pretty much the same underlying software.
2. Perhaps simpler, reverse your idea. Make the router closest to the Internet the WEP network and put the DS and any "guests" on it. Make the new router the WPA router.
Now, you can reach the network where the DS is located from your "private" network behind the new router, but the DS can't reach back into your network. Since the Westell is a "switch", the DS or anyone who gets on that network wouldn't be able to see your traffic.
A third idea just came to mind ... get a new router which supports a "guest" network concept (my Belkin Wireless N router does this). Put both your networks behind this router -- yours on the primary network running WPA, and the DS on the guest network running WEP.
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.