have unique credentials per user or don't share the guest credentials to those users.
Block those MACs at wired interface.
WLC doesn't have 'deny only' option until today, cisco didn't drive it due to 'no ask' or 'no demand' from cust perspective.
There is a turn around to this issue, if you open a TAC case and mention this support forum link, mention my name in the TAC case, i'll take it from there.