Hey CompNerd... Sure you can do this via ACL Policy. There are different ways to do this.
Are you thinking of WLAN users trying to access things they shouldn't ? That's the user case I typically see / get asked to protect against.
Here is an example to block SSH and SNMP from Guest Network. This methodology you can always employ(regardless of AOS version...aka. most versatile) is shown below.
You can restrict access to any user role based upon creating a 'net-destination' and loading in the 'sensitive' interfaces that you don't want users(of any particular flavor) to access.
JF
Example to limit GUEST users from using SSH and SNMP to interfaces 10.10.10.2, and 10.10.20.2
!
netdestination CONTROLLER-INTERFACES
host 10.10.10.2
host 10.10.20.2
!
ip access-list session CONTROLLER-INTERFACES
user alias CONTROLLER-INTERFACES tcp 22 deny
user alias CONTROLLER-INTERFACES udp 161 deny
!
user-role GUEST
access-list session CONTROLLER-INTERFACES position 1
!
Alternatively, you can also block on the port by port basis as well, instead of roles... let me know if you want an example of that approach.
JF