|What router settings do my ISP have to set in the router?.|
That you would have to ask the ISP as there is no way for anybody else to know the answer to this question.
I guess I'll have to use NAT to privide Internet connection to the workstations using one of the public IPs?.
Most likely yes. I'd be curious to know what you've been using prior to getting the SHDSL connection.
Most small to medium businesses can get away with using a SOHO Router which will provide not only a firewal for protection but also NAT, DHCP and if needed, DMZ capability for servers that need direct external connectivity.
I'll need these extra IPs for VPN and the Exchange Server right?
I suppose you could go that route for an Exchange Server but it isn't necessary with a VPN device. Most enterprise level VPN devices reside between your LAN and the WAN. So, by way of example, and assuming a SOHO Router in the mix, a VPN setup with a dedicated VPN device would look as follows:
Internet >> VPN Device >> SOHO Router >> LAN (ie: clients/servers)
Some SOHO Routers have VPN endpoint capability so you could again save some $$$ buy getting one of those if you require VPN.
As for Exchange, and I know little about exchange, but if you need direct access to it from the internet, if your SOHO Router has a DMZ, you could put that server in the DMZ.
Do I have to purchase a firewall to protect the LAN and the NAT conversion?
If you'd like your internal network protected from intrusion from the external network a firewall is a good idea. These days, nobody goes without putting a firewall between them and the internet.