At home I have set up a second wifi AP for kids' use. They tend to have infected laptops because they click on every link they see; on one occassion I found 13 trojans on one laptop.

That AP is an old Linksys one (don't recall the P/N but it is about £20 on Ebay) which allows 3 port number ranges to be blocked.

IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive.

The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN. It also pretty well blocks the use of the connection for P2P which is a perpetual hassle with internet usage, in both potential illegality and blowing away your monthly GB allowance.

The users can do HTTP and HTTPS which is about all you can do on most public wifi anyway.

But you cannot stop your customers from downloading illegal material. The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.