Actually you are right. The host cannot use a device while it is passedthrough to a guest VM (ie: you cannot have the host use the same graphics card that you passthrough to a guest, it would need to use its own) , but it can still detach it from the guest VM and then use it (meaning that the host can break the isolation). So the OP will need to have two xen virtual machines and a known as non-compromised host that is used for nothing other than Xen, and which has no networking code present on it. He will also need three hard drives, one for the host, and one to be passed through for the first VM and another to be passedthrough to the second. He would also need a third xen VM with a network card passedthrough to it, for all of the other VM's to route through to gain access to the internet. This is essentially describing Qubes btw. +1 for pointing that out, my original description was misleading (because the host can access the passedthrough hardware, it just needs to detach it first).