Hello,
I have run into this situation before. You can not seperate the users in the database, however, you can apply a role to the guest user acccount within the internal database. Let's just say Guest_role is the role for now.
Also create a dead end VLAN. That is a vlan without a gateway or dhcp.
You can then create a seperate captive portal authentication profile for you internal users. This is important becuase we are going to be using a user derivation rule.
In the Server group, specify internal, and add a user derivation rule. The rule will read, if user role equal Guest_role set vlan to # (dead end).
This wil insure that any user that logs in to the employee network wit a guest account, will go no where.
Hope this makes sense.