In your case, the AP can serve more than just Internet access, which can give your users a lot of flexibility. I have set up an 1130 AP with VLAN access to two different networks in my office - one is a DMZ that only has Internet access and one is to my Inside network. The AP has access to those VLANs because we recently trunked all our switches together and they all participate in VTP - translation: every switch knows about all the VLANs, and that makes it easier.
This arrangement gives your employees access to the same (Inside) network as their desktop, and guests have access to the Internet (through the DMZ) for checking mail, doing presentations, etc. I just got it working today so I don't have security turned on - I'm still looking for a document that shows how to turn security on one SSID and not another without using a WLSE or WLC.
Here's the link to the document that shows how to use VLANs with an AP;