you're on the right track:
1.) disable IP routing on the switch but not the router (no need for the switch to be able to route unless you want to route inbetween the VLANs at the switch and not the router - in which case you would then want to set the subinterface on the router 0.2 to be one interface (you wouldn't need to subinterface anymore becaue the switch would do the VLAN routing)).
Long story short use one or the other to route between the VLANs but not both.
2.) set up a simple ACL (access control list) in the router (or switch) to deny any 192.168.1.0 to 10.100.100.0 (this is of course assuming your are subnetting both with 255.255.255.0),
and deny any 10.100.100.0 to 192.168.1.0.
You use ACLs for control so that even if you didn't want to block all services you could permit a few ports to be open. I.e. lets say you want the public WLAN to be able to access an email server in the internal network - rather than send them through the internet and back in, you could simply set up an ACL for SMTP permit, and deny all other ports. Then your public WLAN would be able to access emails locally but nothing else (not even ping).
As for why you were able to see the network when you disabled IP routing on both the switch and router was because at that instance you made it a simple layer 2 switch and they probably got all the same IP addressing scheme from the DHCP when you did.