If you are using home routers the key is in the WAN interface.
All the hosts connected in the LAN ports can access the hosts in the WAN port, but not viceversa. Your border router act this way: if you want a hosts communicate directly from WAN to LAN you have to forward a port. For example, if you have DVR with cameras and you want to monitor them from Internet, you will have to forward the ports the DVR uses.
So, you could connect in the 192.168.2.1 subnet (just to clarify, this is not a VLAN, this is a subnet, or you can also call it just a net, VLANs are another thing) the PCs that you don´t want to be accessed from the other hosts.
VLANs are kind of partition of a LAN where the broadcast can propagate inside it but cannot go out. They are used for security, performance and easy of administration. They belong to the 2nd. layer of the OSI model.
The final topology in your case is as follows:
Let´s separate your computers in two groups: group A are the ones you don´t anyone has access and group B are the ones you want to be accessed from another PCs.
First you have your modem connected to the router that will act as border router. It´s LAN IP will be 192.168.1.1/24 (/24 is a notation for the subnet mask 255.255.255.0).
To that router you will connect to it´s LAN ports the group B PCs with IPs ranging from 192.168.1.2 to 192.168.1.254 (.0 is reserved, .1 is you border router and .255 is also reserved).
Also to that router you will connect the second router to its WAN port. In the second router you will set an static IP in its WAN port that belongs to the subnet of the border router. For example 192.168.1.2.
The second router LAN IP will be 192.168.2.1/24. Finally, you will connect the group A PCs to the second router LAN ports. With IPs from 192.168.2.2 to 192.168.2.254. This will be the more "protected" LAN.
I hope this could help!
