I think you all might be frightening the OP a little here.

DNS port lockdown plus OpenDNS *should* be sufficient, and I don't think law enforcement agencies would be expecting you to have put in £xxxk's worth of SPI firewalls and full network architecture just to limit the exploits of a couple of lodgers.

If you're that worried, then a legal agreement is probably the easiest way to ensure safety, but whilst prudent even then that's going above and beyond what's expected.

I'd suggest a Tomato router would be a useful addition though. It gives you options above and beyond the basic BT HH, at a reasonable price point. I can talk you through setting one up if you want to PM me.

Cheers,
Mike.