The most secure method would be to create two vlans, one for your employee traffic, one for your guest traffic. Place an ACL on the vlan interface for your guest traffic limiting the traffic to HTTP traffic (And also considering limiting the hosts they can actually touch. You don't want a guest finding an unpatched http server in your network and using that as an attack vector for the rest of your network). Then set up a trunk port, hang your aps off that. Set your employee SSID and vlan up as the native vlan. Set the guest ssid up to use the guest/restricted vlan.