Block DMZ  

---

 
Right now all internal users have wide open access to the DMZ.  This is not good, as the entire idea behind the DMZ is it is an isolated, untrusted network.  We don't want our internal users accidently bringing in something from the DMZ.  So, we block our internal users having any other access to the DMZ.  Now, instead of creating another rule, we just change the Internal Outbound rule to say Internal can go anywhere but the DMZ. This saves us from creating another rule. Remeber, simplicity is good. If the use of negation confuses you, then create an additional rule that denies the Internal network access to the DMZ and place it before the Internal Outbound rule.