Then the only good way to implement this will be to put the WAP behind it's own firewall. Then you can limit the places that the WAP-connected clients can go.

--Ben