Jason,
Unless you have dedicated firewall or cluster filtering this traffic, even on its' own VLAN with separate private IP range, it is still going through your production infrastructure imposing undue load on it.
Point being, that there is no compelling reason monitoring your visitors or guests egress traffic. As Kaspars have mentioned in his comment, the only thing you care about is limiting access to the inappropriate sites, and various hacking-related activities, (i.e. network and port scans, etc).
Generally, the rest of the traffic from the guest network could be left alone.
I've used a separate ISP link and WiFi access points for the guest networks, as 802.1X authentication on these segments is often impractical, URLF blocking some of the categories and restricting per-user bandwidth to something reasonable.
I'm more concerned with inbound connections from these user categories, if such are warranted.
What is the reason for you to enforce stricter controls for the guest/visitor network?