Thanks Tim, that solved it.
That does bring up a difficult point for me though. The way I read that policy is that port 80 and 443 are port-nat'ed (is that the right way to say that?) to 8080 and 8081.
My problem is that I don't have a rule in my fortigate firewall that allows ports 8080 and 8081 out onto the internet, so theoretically anyone using the guest policy should not be able to surf the internet.
Obviously I still have more learning to do!
Mark