HP bought out Colubris Networks which is where the current HP MSM product platform comes from. The best practice for the APs to associate with the controller is to have some DHCP options created for them to use. Look for the MSM Implementation Guide on this page and it will outline several configuration examples as well as the DHCP options to set.
As far as the VSC, you don't have to disable Authentication, just Access Control. Again, this will allow the traffic to flow through your network withouth having to go through the controller. In regards to the Public VSC, the controller itself does have firewall capabilities, but I turned that off in lieu of using the firewall capabilities of my Sonicwall which does have web filtering and IPS features.
So here's my setup as an example. My Secure VSC is WPA2 Enterprise secured using Radius, certificate, etc... (again, go through guide as there are examples of configuration on this). My Public VSC is Access Controlled and the only security I have is HTML-based authenticaion. I created a user on the controller and when someone needs Public access (visitors, etc...), we offer them the username and password when they hit the html login page that they get redirected to, to get Internet access. Also make sure that always "tunnel client traffic" is checked for this VSC. Enable DHCP server on the controller (again, since the Secure VSC is not Access Controlled, then it will not use this DHCP server). The Internet port is a IP address in one of my DMZs (so for example 172.16.1.2), but on your Public VSC toward the bottom of the configuration page, there will be a DHCP Server option to check. Check this and enter a scope to use. YOU CANNOT USE THE SAME NETWORK as your Internet port's subnet. So for example, 172.16.2.2-172.16.2.254 with 172.16.2.1 being the DNS and the Gateway IP address. It looks a little odd, but what you are doing is creating this subnet for your public users to use and the controller is your everything in that matter. It cannot share the same network with your Internet port, so it has to be on a different subnet. So the way traffic flows using that Public VSC is their traffic never touches your LAN. It backhauls all the way to the controller and exits out the Internet port (in fact, it does not touch the LAN port at all). Like I mentioned, you could very well plug that Internet port directly to your public Internet and turn on the firewall, but it's basic at best; that's why I opted for it to go through my Sonicwall where I did have those filtering and security features I could apply to that zone.
Hope that makes sense. The configuration on this thing can seem daunting at first, but after you read through the guide once or twice, you can extrapolate from it's examples whatever fits your needs.