Please close this question while I hide in shame.... x_x
For those who want answers, here's what I did:
Question 1>> I tried the settings myself in a safe environment. Works like a charm. Of course after leaving more port open for outgoing access because my proxy handles only HTTP and HTTPS protocol.
Question 2>> Also tried it with mac filtering. Good to go.
Question 3>> Instead of using the "advanced" guest network feature, I disabled that. Created a second WLAN SSID, which then were put into a guest VLAN. Bandwidth control, IP assignment, firewall exclusion, all those can then be handled by the new router itself.
Good luck fellow learners.
Current setup is 1 modem+router with WLAN and a switch attached to it. 8 PCs connect through the Ethernet, 2-6 PCs and some smartphone devices through WLAN.
One of the PC on the ethernet acts as a data server, a DHCP+web server (solely for proxy.pac publishing), a proxy server (for traffic shaping), and a remote app server. So I call it "The Thing"
What I want to do is to enforce all clients to use proxy and to allow remote app to be accessed from the internet. My current router has a firewall feature, but the web UI loads too slowly for some setting page like the firewall's. Port mapping also can't be done because of this reason.
I bought a new router and configured it as follows (not in use yet though, until I'm sure it is good):
1. Router's IP > 192.168.1.1
2. The Thing's IP > 192.168.1.101, port 808 for HTTP and HTTPS proxy server, port 80 for web server.
3. Firewall > only allow OUT access port 80, 443, and remote app port for The Thing; allow all IN access; deny other requests.
4. Port map all remote app request to The Thing.
Here are my questions:
1. Will the setting deny client's access to HTTP and HTTPS successfully? Will it affect any internal access?
2. Can the remote app be accessed from the internet with this firewall setting? I'm also thinking of filtering the devices that can access this remote app (MAC filtering, VPN, whichever is good).
3. If question 1 answer is yes, I need to do something about the smartphone devices not being able to connect to the internet without configuring proxy. So I have two options:
A. Each time someone wants to access the internet from their smartphone for the first time, they come to me to get their device configured. A hassle for me of course, as I have other things to do and if I'm not available they cannot do anything. A tutorial is out of the question as most of them are much older than me and doesn't have the time to learn these things.
B. I'm thinking of creating a guest network. The other two options are sub-options to this one.
B-1. The new router, TP-Link TD-W8970 have a guest WLAN feature. The guest WLAN is isolated from the main LAN, and they also have bandwidth control. Instead of shaping the guest's traffic, I can throttle it entirely. However, the firewall deny all clients from accessing Internet directly. So using the router's feature, I can give the router another IP (let's say 192.168.2.1), which means another subnet. This subnet is allowed to access the Internet directly. To make it so that only the guest network will use this subnet I will attach a wireless card to The Thing, give it a static IP (192.168.2.101), connect to the guest WLAN, and act as a DHCP server for this subnet, while also acting as a DHCP server for the main subnet. Do I have the right idea?
B-2. Attach the old router to the new router to broadcast the old WLAN SSID as the guest network. Hopefully I can separate the old router connections and the main LAN using VLAN, enable DHCP on the old router, allow direct access to internet for those connections, and configure bandwidth throttle on the new router for any connections on the old router, which I think is highly impossible. Also read about double NAT etc.
Any advice is high appreciated.

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic