Based on what you've told me....
1. Your VLAN scheme looks fine. Matching the 3rd octet and the VLAN number is fairly common.
2. Pretty simple to block access from one VLAN to another. Just utilize ACL's to deny the desired ranges and permit all else. You haven't mentioned that you have stringent PCI or security concerns, so using ACL's on switch SVI's to block traffic should suffice - as opposed to requiring a FW.
3. From a routing perspective, you have a lot of options.
a. Place the SVI's on your 3750. This extends layer 2 from the 2960's to the 3750, but this isn't a big deal since you didn't mention redundant 3750's. If the SVI's are on your 3750, all routes will be locally connected. The 3750 will need a default route to the 6500, and the 6500 will need a summary route to the 2960's.
b. Same as above, but you could run multiple L3 PTP links between the 3750 and 6500. This provides redundancy, removes any STP complexity, and allows both uplinks to be utilized. Either implement dual static routes pointing over both links, or use some dynamic variant (EIGRP / OSPF).
c. Run L3 PTP links from the 2960's to the 3750. Although you don't gain STP abstraction benefits since these are single homed, you still limit your
L2 fault domain. This design does require that L3 networks don't span more than one closet, and it requires routes on the 3750 / 6500 via one of
methods described above (either statics or a dynamic protocol).
HTH
