The first thing that you have to remember is VLANs are a way to separate the networks. VLAN’s basicly just isolate the different traffic. All of your security comes from your switch/router routes, ACL’s,or filtering on the switch/router. As well as integrated security on your srevers/domain. The other thing to note is layer 2 switches generally do not support VLANS.
The most secure way to allow your user to access the server is to put in a route that only allows one users IP to route to the server. Or if you need a range of desktops put the route in the switch to allow the range to go to the destinations.
Now that being said, I think you are worried about the guest traffic on your network and with good reason. If guest access is all you are worried about create a domain VLAN(10) and a guest VLAN (20)on your layer 3 switches.
With this setup you will not need routes/ACL/filtering. I am going to program one switch controlling all your VLANs. You will need to have all of your guest access runs going to the main switch. Now in cisco terms you will need to untrunk (Untagg) the ports for the needed VLANS. So, If a guest connection is plugged into port one you will untrunk (untagged) the port for vlan 20 (GUEST). Untagg all of your guest run ports. Now (Untrunk)untagg all of theother ports for VLAN 10 (Domain). This will completely separate the 2 VLANS. You will need to plug your guest VLAN into a firewall or a DMZ that will supply IP as it wil lnot see your DHCP server.
Thats it. Your guest users can not see your Domain and still get internet access.
If you want to spread out the ports across several switches you will have to trunk(tag) all inter-connecting runs for all VLANS NO UNTAGGED BETWEEN LAYER3 INTERCONNECTED SWITCHES. There are many ways to do this and it is a complex topic but hopefully this will get you started.