If the Netscreen box has multiple internal interfaces and lets you filter traffic between them, you can approach this like you're planning. The guest bits will be their own networks with their own IP address ranges, and it's up to the configuration on the Netscreen to let them get at the Internet but not the Internal network.

If the Netscreen is more of a SOHO device (where the inside bit is just a regular switch), then what you're trying to do would give everyone full access to the internal network as well.


In terms of wireless security, go for WPA/WPA2 and just write the key on the whiteboard in the room (and change it periodically, eg after each course finishes). MAC filtering isn't security.


The WAP2000 is only an access point, not a router. If the Netscreen box is going to handle DHCP and DNS for the guest networks, then that's all you need. Otherwise, you need something bigger.


If you had more time, you could look at a hotspot system like ChilliSpot to provide authentication (and monitoring if required), then leave the wireless network unsecured. Probably not something you could just drop in in a couple of days though.