|Gee, I'd worry about some perv downloading stuff,.|
Consider at least a box with untangle or vyatta or good software to protect content.
If you want, read up on how to use backtrack 4 and run it. It will show you every thing you need to attack your setup.
Make sure the hot spot can't access 192 address and make sure your company is behind a good device or appliance. You can run virtual machines for the hot spot if you don't have hardware..
"Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10