If the access to historian/shop-floor Control Network goes through PCo, install PCo on the control network where the historian and OPC servers are, then firewall it, leaving open the ports used for it's setup [i.e. by default 9000 for communication with the agent and 500050 (I guess) for communication with the PCo Management Host web-service].
Keep the historian on the Control Network. You don't want the firewall to look at every data transaction between the instrumentation and the data repository. Sometimes, the instruments are supposed to log 100-1000 transactions per second.
Cheers,
paul.