A few thoughts. First, wow. Good for you. Many on here, and I understand will say do not let employees play with email and web surfing at all, but you do, so let's go with that.
I don't know if you are talking wireless or wired, but either way, I like this idea the best. Personally, I would make sure it is a COMPLETELY different network with a completely different subnet. Absolutely no way of someone hacking in. So, I am sure you have a modem connected to a router connected to a switch which supplies all of clients and server with connection to the network and Internet, etc.
You can get a small Netgear switch and connect the modem to that switch. Now run an Ethernet cable to your network router. You now have the same network you started with. Take another Ethernet patch cable, run it from the small switch to a router, which is going to be the router/firewall for the isolated network. You can connect that to a different switch to the Chromebooks or you can connect to one of the patch panels that runs to an Ethernet jack of your office, which could be wireless.
Yes, you could do a similar thing with a VLAN on your switch, separating the two. I just do it this way, because there is absolutely no way to get into my network this way.
One idea I will throw at you. I used to block the Internet with some very good software. I haven't lately. I use it for discipline, shutting it down for two days. No cell phones are allowed. I don't allow Facebook at all except lunch, and I do NOT allow personal email, mainly web mail such as Gmail.
I allow the use of personal email on Outlook ONLY. Only one employee abused it. The reason I do it this way is because my Exchange is set up for email accounts for each user. There is also an archive account, which gets a copy of any email going out/in or most importantly, between users in the office. The employees know, and it is written down, that the computers are the office's and all email belongs to the office and can be subject to inspection at any time. I don't look at it, but I can. I got burned once by an employee and a bogus harassment suit. One other employee tried to do the same, and there were quite a few emails from her to other employees and to friends about lying about it. Any deleted emails, besides being backed up, are always in the archives. They don't know that. Plus, while maybe not yet, many businesses such as banks, etc. are required by law to have backups of all emails. Having the archives set up is helpful. Just a thought.
The other thought is that with Exchange and using Outlook, all email is encrypted and at least going out, but all email in the office is HIPAA compliant, because it only runs over the network. Do you think that employees may write stuff about patients and then take them home or it be less secure?