Is there a "best method" of allowing wireless access to the Internet without allowing access to my intranet besides using VLANs?
There are several common methods of segregating public Internet-bound wireless traffic from private intranet-bound wireless traffic.
One option is to create an entirely separate wireless network for public Internet traffic, using a different SSID (Service Set Identifier) on APs dedicated to guest use, connected to the Internet, outside your intranet firewall. This is simple and workable when public Internet access is only required in isolated areas, like a lobby or conference room.
As you note, another option is to use the same AP(s) but create a separate VLAN for Internet-bound traffic. VLAN-capable switches can then be used to keep public Internet traffic from entering your intranet. This is a good fit if you already use VLANs and your WLAN is small enough that one VLAN can handle all visitors.
A third option is to use a wireless access controller between your APs and Internet/intranet uplinks. Many WLAN gateways and switches can differentiate between guests and other authenticated users, applying role-based policies to limit what guests are allowed to reach. For example, you might define a "walled garden" policy that permits only port 80 and 443 traffic to subnets other than your intranet. The controller will drop any guest traffic that doesn't pass this policy, independent of source AP, SSID or VLAN tag. This approach requires more infrastructure but can offer better flexibility, scalability and usage logging/reporting.