Really? Have you ever actually configured a switch? I'm talking a real switch, not a hub. The switch sees all traffic from the modem (which will often times only give 1 IP, not multiple) and sends it to the gateway (usually a router for folks), and the gateway sends it out. There won't be any "packet confusion" because you're using a layer 2 switch, not a hub.
Otherwise, my single switch thats sitting next to me running a whole collection of networks must clearly not be working.
(You DO have to use an internal network IP, such as 10.10.x.x or 192.168.x.x, because they are not routable over the internet, hence why its not really a security issue. you cannot ping 192.168.34.1 over the internet.)
The big catch with this configuration would be your router needs to not give out DHCP to anyone but the server, and all your clients have to be directly pointed to the gateway manually. The bigger security threat would actually lie from within your network, not from the internet. For home use, its not really an issue. For a business LAN, you would obviously want to configure it differently, but it would certainly work. Worst case at home would be a laptop connecting and be set to DHCP, and just conflict with your gateway causing your internet to stop working until you fix it.
Its not ideal, but it would certainly work. Worst case, the ISP's first in line router will start filtering your broadcasts. You would want a switch you can tell not to FWD broadcasts through that specific port.
http://img.techpowerup.org/120610/Capture012927.jpg
A second NIC to flow traffic through would only change your available bandwidth (if everything is gigabit, you still have plenty with a single), and you would have the computer filtering broadcasts instead of the switch. The cable modem/DSL modem will never even know a computer is on the same physical network.
If you were to custom format your IP headers, you could potentially attack the computer from the outside network, by changing the MAC address in the header to that of the client; but discovering it wouldn't be easy, and the computer would just be like "oh this packet isn't for me /trash because it has the wrong IP address." (The internal network IP would negate your ability to traverse the internet for this type of attack.)
This statement contradicts itself. A different subnet is a completely different network.