Are you saying you want to have 2 guest WLANs in addition to your trusted user WLAN? That's certainly possible, but it will depend on what you're using for the WLAN infrastructure and the internet access proxy functions. You don't mention what proxy server you have, but the first thing you need to think about for the DMZ'd WLAN is how you're going to ingress the traffic to the proxy from the DMZ. That could be via a seporate physical interface, or preferably a new VLAN on an 802.1q trunk. Apart from that, your normal proxy rules should be configurable however you want I'd think.
For the second WLAN that you're talking about, I think you'd need what I'd call a "forced portal". It's a bit like a proxy, but with more functions. Some proxies do web based authentication which is what you want, but you'd need to check your box. Typically, you'd expect to be doing this as a layer 3 web based authentication rather than an 802.1x, which occurs at layer 2 and is required before the user can even see a web page (i.e. when the radio signal is building). Furthermore, if you want time based access for your portal, you'll need to check it does that too. And, you'll need to think about how these "tokens" get issued. Somebody will have to be doing it as part of there job, unless you automated via a HTML page for the guest to fill in themselves.
One final point with guest access. A lot of people forget that you can't implement downstream QOS from your ISP (not AFAIK). What this means is that you need to accept the risk if you're going to share a corporate web connection with the guests that they might steal a big chunk of your bandwidth. There's lots of functions you can activate to cut back guest traffic levels upstream and downstream internally and on the DMZ. But when it comes in on your inbound web router, but if the inbound traffic is already loaded, dropping the packets at your local interface won't necasarily help! I'd always suggest running guest access up a different web connection to your corporate access.
