Yes you can create a “normal” user in the IPFire console that could then be given sudo rights in the sudoers file to only access the etherwake command. Probably the most secure way to have the windows users run the etherwake command would be by a scripted SSH command, specifically running the etherwake command in IPFire. The specially created user would have ssh keys created and installed for making the connection. Don’t use any existing users within IPFire for doing this.
That specially created user would then have to be given the sudo rights for etherwake without needing a password because the user would not be in the console to provide the password but running the command via ssh.
You would also need to lockdown the ssh connection to IPFire so that the windows systems can only run the etherwake command and not get login access to the IPFire console.
All the above is capable of being done. Whether it is a wise thing to do, to give windows systems even tightly controlled access to the IPFire console, is another question. I personally would not do that.
The suggestion I gave previously of using a RPi as the WOL server on your LAN would basically do the same thing and would need to be set up the same way but the only service program would then be etherwake. I would strip out all unneeded programs or use Arch Linux whose base install is effectively just the OS giving you command line access but no services. Then you could install etherwake, sudo and ssh.