A basic solution would be to use an access-list to block all traffic FROM the guest subnet TO the Internal subnets.
You could also use a routing policy such that traffic FROM guest going to Internal is sent to the black hole.
Another solution would be install a Firewall in between - Ideal solution
Terminate guest vlan gateway on a seperate Internet router/link
Finally, i suppose you could also use private vlans to accomplish this.