It's easier than running a nuclear reactor--"That's noo-cyoo-ler, son"--but harder than it should be: A Geek Factor column I wrote for Macworld magazine deals with setting up a home hotspot with public and private parts. I took as an assumption that a virtual private network (VPN) connection would be a hassle for an average human being and that you would want to keep your own network traffic completely private. While written for a Mac magazine, it works for any network.
My approach requires two Wi-Fi routers: an inside, WPA-protected gateway for internal traffic that sends its outbound data over its WAN port to a LAN port on an outside, unprotected gateway, which is itself connected to the Internet DSL/cable modem. I chose a Buffalo router model that has privacy separation included as an option. That option can be disabled on the protected inside router, and enabled on the outside router.
Privacy separation should protect the packets that are passing from the inside users over the outside router's Ethernet connection; without this feature, it's possible that a Wi-Fi-connected user to the public hotspot side could sniff passing Ethernet traffic. That's not true on every router because Ethernet and Wi-Fi are bridged, which might reduce promiscuity of traffic, but there's no way to tell explicitly without a switch such as Buffalo uses.
Note to Buffalo: A little more documentation on Privacy Separator would be useful. While it's mentioned in press releases and documented as a switch in manuals, there's no detailed explanation of what it does easily available.