It's easy to limit a wifi access point to only allow some ports, or blocks of ports.
I have a Linksys WRT54GC which can be configured to ban 2 or 3 blocks of ports. So, to prevent obvious abuse, you would block everything below 59 and everything above 443, and if possible everything between 80 and 443.
That will allow HTTP and HTTPS, and DHCP, and will stop POP, SMTP (spamming), anybody but clever P2P users.
I hope I got the above ports right. For a usable "internet cafe" usage, you need 80, 443, and DNS and DHCP and I don't have the last two handy.
But the point is that by blocking ports like 137-139 (IIRC) you stop windoze networking protocols so even if you have other PCs on the wired network, nobody should be able to see them, never mind connect to them. Unless, that is, they can work out a port 80 attack; for that they would need to guess which IP they are on, and try to find a back door in windoze that responds on port 80.
Another easy thing is to limit the max # of DHCP clients to say 10.
And if you got some idiot taking advantage, you just block his MAC address; that will stop him until he gets another laptop...
I have done all the above on the wifi AP I have here, to provide internet access for my teenage son (and his mates, whose laptop(s) is regularly infected with every virus imaginable, and I don't want the stuff to spread.