Any info on percentages of users that use routers vs Windows boxes?

Microsoft has some suggestions for configuring PPPOE for MS-Windows.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain /pppoe.mspx

A problem is many of your customers won't follow the directions, and may still be vulnerable to man-in-the-middle attacks for the login if they don't disable PAP. Because things will appear to work, i.e. Windows will use CHAP first and fallback to PAP, your customers may not notice when an attack does occur.

Although PPPOE is a layer 2 protocol, the user data may be vulnerable to many of the same ethernet CAM table, denial of service and sniffing weaknesses even if the login credentials are kept secret with CHAP (or more advanced EAP options). PPPOE and PPP tend to assume the access networks are 1) "free" and 2) "secure." This may be constrained using point-to-point connections, but often require additional configuration of multi-access networks.

The configuration details will vary by equipment vendor. But you should find some good information by doing a few web searches for metro ethernet security, private vlan, broadcast security.