1) a few observations on your premise:
a building with no windows, no fire escapes or other emergency exits... only ONE way in and out sounds inherently implausible. And even if it DID exist, it'd have to be on some sort of extraterritorial corp grounds where they don't have to answer to fire safety codes.
A rating 7 maglock on the front door also sounds a bit over the top. It'd be like saying the hallways are patrolled by Red Samurai! Also note that a biometric lock for the FRONT door is implausible. How are potential clients supposed to even walk in? Now, a biometric lock on the lawyer's personal office makes perfect sense. But the front door for an office building? It shouldn't be locked at all during business hours (fire codes!) and after hours something more on the level of a rating 2 or 3 (at most) maglock is what'd be appropriate for a mundane office building. Probably a keypad or card reader would be more appropriate, but if you have other reasons to want a biometric reader it's still certainly plausible that the night staff's fingerprints could be on file.
Host architecture: rating 7 hosts are pretty chunky. many corp sites don't even have that. Now it's not outside the realm of possibility for the Mob to throw a bunch of resources at this guy, but it'd be less eyebrow raising if he had hosts more on par with what legit businesses have. 2 for the public host sounds about right, but I wouldn't go beyond 4 or 5 for the secure hosts. Well, unless you have PCs who need big hosts to be challenged by. But for someone throwing 12-14 dice, rating 4 or 5 Hosts is gonna be hard enough.
The spider not coming in until after trouble is started: Nope, a terrible idea in 6e. Hosts can't roll mental stats, so they need spiders to lend to defense pools. Unless you're trying to throw a puffball to the hackers, you need spiders on duty. (and if you're trying to throw puffballs... what's with the rating 7 hosts?
)
2) what the decker sees from outside: Any AROs advertising the lawyer's services that the laywers want the public to see. Surely their public host would be prominent to anyone who cares to look. Any devices controlled by hosts are usually not visible from outside the host, but exceptions are possible. And it makes perfect sense for things like vending machines to be directly accessible to random traffic. Maglocks, too, because you don't necessarily need (or want) everyone who has access to go through the door to also have access to your host that controls said maglock. For example, do you think the lawyers want the secretary to have permissions to use the security host? Probably not. So her ID badge can talk to the card reader without her needing to log into the security host first! OTOH, security devices that the public and general employees have no business messing with (security cameras, motion sensors, etc) will probably not have this courtesy extended.
3) Short answer: No.
Longer answer: Yes, but only after you've hacked into the Security Host that controls said devices.
3a) It depends. See my comments in 2).
3b) yes, but getting physical access to devices can be very tricky. For example, you might see the black dome that you know a camera is located behind, but to get at the camera you have to get that covering off first... I strongly recommend reading the Sensors and Scanners section on pgs 241-242 SR6W. It also covers how to "hack" a maglock via non-matrix means.
4) It depends on the host architecture you're establishing. If the Public Host interfaces with the matrix, and the Security and the Secure Files hosts, while the Security and Secure file hosts only interface with the Public Host, then the decker must first hack into/through the Public host before being able to get to the other hosts. EXCEPTION: if you DO establish a direct connection to a device controlled by say the Security host, then you can start hacking the Security host via that direct connection.
5) Noise would be the issue. If the lawyers are security conscious, they might employ wireless negation (see pg. 177 SR6W) and that would mess with any hackers not inside the building/room as the device being hacked.
5a) Yes when 3a) is yes, No when 3a) is no.
5b) No. VR is not a perfect parallel of Astral Space (though it'd be cool if it were). The "space" inside hosts has absolutely no correlation to the space inside physical buildings they serve. Even in VR, you can't just "float" around physical locations... you can only go to digital locations (i.e. Hosts). CAVEAT: In very specific examples (not the norm), you CAN "ghost" around physical locations in VR. See the examples for the Neo-Tokyo Visitor's Bureau (pg. 232 sidebar, SR5) and Dante's Inferno (pg. 220 sidebar, SR5) in 5e for examples of how a digital avatar can remotely interact with real people/places BUT ONLY WHEN THOSE PLACES DELIBERATELY want this to occur (they set up holographic projectors, etc). Maybe a lawyer might want the capability to meet virutally with clients, sure. But 99.9999% of the time it's better to just set up a secure meeting room on their host rather than going to the bother of setting up the machinery to holographically render a VR persona.
