I'm sorry, but where on earth do you live that this such a huge problem?
Just to repeat what you said, you have people who, by definition, you know and trust well enough to invite into your home, yet you are worried that once they leave they might come back within range of your AP and steal some bandwidth?
You said you found people sitting on the network who were not authorized. What problem were they causing? Hacking your bank details from your secure servers? Maybe you were worried that your best mate was accessing your online "little black book" and stealing all your best leads for a Saturday night? Ok, perhaps that last comment was a bit cheap, but PLEASE.
The simple fact is, if you put a BIG lock on a door, then thieves will wonder what you're protecting and will be all the more interested in breaking in.
In any case, there is no reason why both of your AP types couldn't be on the "inside" in this situation. Once you have access (because you belong or because you are an authorized guest (do you frisk them on the way in and out, by the way
)) the why do you need to segregate the traffic? Or do people sit in your kitchen on their iPhones trying to hack your music collection?
You clearly have some knowledge of network security, but a little knowledge can be a dangerous thing. Don't even get me started on password security (I teach this stuff to VoIP engineers for a living, BTW, so I know what I'm talking about here).
Let us get this straight and recap, you want to re-engineer MCE to ensure that visitors, who you trust enough to invite into your home, cannot access the network from "inside", yet you think you might need to tear down the security built into MCE to allow access from "outside". Is that correct?