You're on the right track. You will need to configure two VLANs on the AP plus a default VLAN (which must be VLAN 1). You can then apply configure an SSID for each VLAN and apply security to each VLAN separately. You will then need to define the VLANs on your switches and configure the APs switchport as a trunk port.
Once you've done this you will need to restrict access from the visitor SSID/VLAN so that all it can do is access the Internet, you'll need some means of issuing clients with an IP address, give them access to DNS, etc.
As to limiting their bandwidth and blocking downloads, can't do that through the AP, that needs to be handled by your Internet connection and the devices that manage that.