What model Sonicwall?
I'd put the Sonicwall up at the edge....create a separate subnet for the "kids"..and manage the traffic via VLANs on managed switches in each building. Ditch the double NAT. Have the stricter policies on the network for the "kids" and the lax policy on the staff. We do this with Untangle at a few schools...different policies for different user groups. You can define those user groups via many different methods.