The vulnerabilities of WEP and MAC address filtering make them extremely poor choices for a business setting.
Consider a secure protocol such as PEAP or TLS for the employees, authenticating against a RADIUS server. In the branches, your project could include a firewall that allows a DMZ. A separate access point, placed in the DMZ could allow Internet access without any security, but could stay fenced off from the corporate network.
It might be possible to set up the RADIUS server in such a way as to limit guest users while allowing others greater privileges, but I'm not smart enough to tell you if or how. I'm imagining something like a hotspot login/redirect where you can get to certain sites - help pages, advertisers, partners - but not full access until you log in with the proper credentials. Some places to start: