Block DMZ
Right now all internal users have wide open access to the DMZ.
This is not good, as the entire idea behind the DMZ is it is an isolated,
untrusted network. We don't want our internal users accidently bringing
in something from the DMZ. So, we block our internal users having
any other access to the DMZ. Now, instead of creating another rule,
we just change the Internal Outbound
rule to say Internal can go anywhere
but the DMZ. This saves us from creating another rule. Remeber, simplicity
is good. If the use of negation confuses you, then create an additional rule
that denies the Internal network access to the DMZ and place it before the
Internal Outbound rule.