Ah ha! Success!

1) Did a full reinstall of XP on the kid's PC (M2) - [I think this was what was wrong]
2) Pulled the second NIC on M1 and fed everything thru the switch. You guys were right.
3) Changed the IP addressing to the 190.etc. block (the 176.xxx block SHOULD work - I'll try it again some day)
4) Installed IPX/SPX in M1 & M2 - disabled F&P sharing on TCP/IP and enabled it on IPX/SPX for both. That way folks on the Web can't browse my folders but I can - remember to set an different internal network numbers for IPX/SPX/NetBIOS in the relevant machines if you do this.
5) ZoneAlarm sees it as one big network now (you see what I was trying to do) so I won't trust it generally but WILL trust the address of M2.

Now to reinstall all the fr&^*$ing software!

Many many thanks to all of you for all the suggestions and advice - it really helped me to redefine the problem and fix it. Ain't PPRuNe great!