getting ready to set up a wireless system for our lan. (got cisco 2100
+ a bunch of access points).

mainly want to use this for laptop users to access the they'll
be logging in w/ their eDirectory credentials (as soon as I figure out
all that 802.1x stuff/clients/radius server, etc, but thats another
subject). But there are the occasional consultants or visitors that
come in, and need to get internet access.
I can create multiple "virtual" access points w/ this cisco that advertises itself as "guest" access. but for the
moment, all internet access is through the bordermanager 3.8 server,
and I've enabled proxy authentication, requireing clntrust.exe running
on the clients. I'd rather that guests not have to authenticate to
bordermanager. (not much point in tracking the logs when multiple
people might be logged in as "guest" anyway). But as far as I can
remember, proxy authentication is simply "on" or "off" way to
allow certain users to bypass it. is that correct?

I could configure the cisco hardware to vlan anyone on the "guest" wlan
to a specific physical port on the controller box, and plug that
directly into the dmz switch, giving them completely unrestricted
access to the internet, but is that wise?
what do people typically do for "guest" access?