The ACLs only restrict MacAddresses for WiFi connections. They totally ignore Ethernet because it's assumed no outside hacker is directly hard-wired into your router.
It looks like you will have to look elsewhere than the standard AirPort utility to do what you want to do.
Ok so if I get it.. the only real problem is that your guests may end up visiting a ***** site, and you don't want to get into trouble if their parents find out, right?
I guess turning on parental controls isn't going to do a **** thing.... with their own devices and all. Anything I can think of here is always going to have some way around it...