From: Taylorville, IL
You would have to replace the WAP with a wireless "router". The router's external interface would be on the LAN while its internal side would have to use a different IP subnet. Then treat the "router" as a SecureNAT Client and give it what access you desire. Keep the router unpluged and in a locked cabinet when not using it so that employees to try to use it to get around any internet restriction you have placed on them. Your LAN would still have limited exposure to the Guests,...but the Guest would be protected from your LAN,..so that is kind of backwards.
The best approach would be to have more that one Public IP# and have the wall jack and cable from that room go out to the Public side,...then assign the Public IP# to the wireless "router" and let the guest use it that way. Now they would be totally separated from the LAN. But this may require a commercial internet connection with commercial equipment rather than a "home user" line (DSL, CableTV). You would still keep the device powered off and locked in a cabinet when not in use for the same reasons as above.
Hi Chris, A solution to that is to enable the VPN server on ISA, so that domain users to first create a VPN connection, and then securely access internal resources. In this way you keep things separated, the downside is that you have to deal with the hassle of the VPN connections to secure the wireless DMZ.
Another solution, more elegant, is to put back on the Internal Network that WAP, secure/encrypt the wireless connections, so that only domain authenticated users can use that WAP without the worry that someone may "read" their wireless traffic. Then buy a cheap WAP and put it in that wireless DMZ. In this way you have a proper wireless infrastructure for your domain users, so they can do their work, while the guest users can access their favourite viruses from the wireless DMZ. Regards!