Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.