I have a group of public access PCs inside the organization that I want to connect to the Internet while isolating from all other computers/devices on the network. My idea was to use a pair of VPN routers to tunnel through the company network - one router would be placed inside of the DSL rounter but outside of the firewall, the other would connect to the public PCs.

Is this a sound approach for isolating the PCs? Is there a better [low budget] approach? Thanks.

It sounds like what you're thinking of is ok, but there are some things to consider.

The first is the vulnerability of the router having it outside the FW.
2nd, is if you use VPN software to do this, make sure that it can restrict access to access to the local network, it can't be diasbled or have its setting changed.

An alternative is to setup a subnet just for these PCs that is only routed to your internet connection.

For example let say your internal network is 192.168.0.0/255.255.255.0 with your gateway being 192.168.0.254.

Then set up a network
10.0.10.0/255.255.255.0
default gateway 10.0.10.254

Then at the default gateway route all internet traffic to 192.168.0.254. To be safe you could drop all traffic to 192.168.0.x IPs.

The down side here is someone could potentially 'snoop' private network traffic from one of the public PCs. If you are running a switched network that shouldn't be a problem.