Actually - a vhost will work -
You simply must not put the additional vhost's DocumentRoot under the default DocumentRoot of the installation. That is known as nesting, and each site will ALSO be part of the site that is its 'parent'. That is an awful practice security wise.
lets say XAMPP DocumentRoot is on C:\xammp\htdocs
Then anything that is BELOW c:\xampp\htdocs in the folder structure can also be accessed by the IP address. (that will include the FIRST vhost)
for the next (the important one) Vhost you make the DocumentRoot c:\sites\mypolskisite
NOW there is no way to add anything to the IP's root to get to the virtualhost. BTW, its the same on all websevers, not just Apache - it works on IIS, although they use a different term - 'virtual server'. As long as you make the access method 'Host header name', and DO NOT NEST your virtual hosts - the only way to access the vhost or virtual server is through an HTTP request that contains the 'server name'.