|The simple way is to keep them completely apart.|
Use your normal lan within the office. Connect it to nothing else.
Then get junky old computer running linux wifi setup for guests connected to internet.
"Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10