Can you have your company's network guy setup a new VLAN dedicated to your needs? If so, you could simply assign a VLAN to your vSwitch (or DSwitch, for multiple hosts) so it tags everything on the way out and then your company's switch would handle the rest.

The network guy would only need to enable handling your VLAN on that single NIC and you would never need to worry about traffic crossing.

I think you need to provide internet access for you VMs (not the ESXi host) so you need to NAT them like any other system in your network ( just use a subnet that is assigned NAT access)

If you want to isolate your VM's network you can provide for them a specific Port Group (Named LAN, for example) and give it a separate VLAN ID (if you support VLAN in your network). So every VM that is connected ( go to edit settings of each VM and connect it to that mentioned Port Group) is in a separate VLAN and is not related to your production network. If you don't have the VLAN option, then you need to separate your ESXi host networking physically and provide for it another dedicated network to avoid connection with your production network.

You can also use VMware Workstation but if you choose the ESXi you have more flexibility and greater performance in your VMs operations.

But before everything I strongly suggest you read about vSphere 6.7 Networking then start your test deployment.