Networking – Cannot Ping Other Subnet in Network

With regards to the original reason for this frankenNetwork: you only need 1 extra router to override your ISPs behaviour, no need for 3. Just put that router behind your ISP provided-device and connect switches and access points to that. Also, slap your ISP for providing you with shitty DNS. You can't expect a consumer to run their own router because they can't provide a reliable DNS service, it's absolutely ridiculous.

Back to the specific question:

A big difference between Packet Tracer and the routers that you're using is that packet tracer provides "proper" routers (for the lack of a better term). Most consumer devices for routing were designed on the assumption that there is a WAN side and a LAN side (as you did in your drawing). Proper routers don't make that assumption and consider all networks on "equal footing", unless you configure otherwise.

Most consumer routers automatically apply NAT (SNAT) to LAN->WAN traffic, which totally breaks your design. There is no way to traverse from WAN to LAN with just plain routing or static routes (which is what you want here). You might hack it together using port forwarding, but this is gonna lead to headaches in the future.

While your thinking is generally correct (as confirmed by Packet Tracer), you're also missing out on default routes. Even if you got everything to work as desired, you'd still have no internet connection on LAN 1, 2 and 3, because they have no default route, and thus wouldn't be able to find anything on the internet (giving ICMP destination unreachable).

I think the easiest way out is to change your design to only include 1 additional router and just connect everything to that. If you want to go full-on nerd; get a couple of Edgemax or Mikrotik routers and start experimenting with those. And instead of static routes, employ a routing protocol like RIP or OSPF to really get a grasp of how large-scale networks work.

How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2's subnet) but not vice-versa?

In this case, you don't – ROUTER#2's functionality is not sufficient for that. You need to be able to configure the "SPI firewall" to allow and block packets according to your description.

("SPI" pretty much just means it has a --state established -j ACCEPT rule, so that it allows reply packets in, but doesn't allow new connections in. Unfortunately, in your case, it's in the opposite direction vs what you're asking for.)

Routing configuration will not help here, as Router#2 already has a route to Router#1's network (due to its WAN interface literally being part of that network) and you kind of need that route so that Router#2 would be able to deliver reply packets to the authorized PCs on Router#1's network; if it has a route for replies, it has a route for "new" packets as well.

I've searched, but couldn't find any control over NAT on ROUTER#2.

In theory this wouldn't be a problem; such a control would only disable NAT in the direction #2→#1 (and you don't want any packets to go that way anyway). There is no NAT for #1→#2 by default (just the "port forwarding" rules); it's most likely the firewall that discards the inbound packets.