CloudFormer and CloudFormation would be good tools for this.
CloudFormer lets you create AWS CloudFormation templates from resources that are already existing in your account. These generated templates are basically just JSON that expresses each type of resource that CloudFormer examined. You can then take the generated template as a base, tweak the configuration of each resource as you need, and then use the template to launch those resources.
Resources:
You need to add routes to the main route table object for the VPC.
In the web console go to the VPC management page and click on Route Tables as seen in the menu at the left. Select the main route table (Yes under Main). In the lower part of the page click the Routes tab and you will see a routes list. Click the blue Edit tab. Click Add another route below the list. Enter your CIDR subnet under Destination. Enter the instance ID or Network Interface object ID of the Windows instance under Target. Click Save when you are sure all is right. Back in the EC2 Instaces page select the Windows instance. Go to Actions>>Networking>>Change Source/Dest. Check. Disable Source/Dest. Check so it allows packets to/from the Linux instance.
Best Answer
Three AZs within one region.
Yes. All traffic must be permitted by security group policy.
Security groups are not concerned with availability zones, only IP addresses and/or security group IDs.
This is a very broad question, and depends greatly on how you have your security groups and network ACLs configured. The easiest way to sort this out is just to mock up your design using an actual VPC and actual instances. It shouldn't cost you more than a dollar or so to do this using micro instances.