Shields up shows port 21 open and visable with my router alone if I add windows 7 firewall shields up comes up all stealth but I don't think it works when the firewall is on.

Is it safe to just leave port 21 open with the router alone or do I need to do something with a software firewall that allows data transfer but will pass shields up?

The key search term here is Firewall port (range) trigger.
http://en.wikipedia.org/wiki/Port_triggering

Make sure the router (port 21) is closed until the trigger is sent. Basically, you are automagically forwarding a port, when it is triggered.

Myself I am more or less used to my Linux tables than the Windows stuff filtering. It is also much easier to find filtering and rules, for routers than the actual Windows Firewall. WF can do triggering, but takes much more work than sending rules past your router's firewall.

The simple option is to open the port, with a triggering - on the one router machine and use the NAT on your router. Leaving all other machines on the LAN closed (to 21,) unless you need them open. One machine is vulnerable with port 21 open. But... It is easy to set the rules for that one machine if your used to dealing with Windows Firewall rules.

You'll need to forward both port 21 and 20 on your router, to your host you'll run the FTP server on. Then just create inbound and outbound TCP allow rules for ports 20 and 21.