Block access between internal networks but give them full access to the internet

Question

Let's say I have 3 internal networks:
- Company-A
- Company-B
- Guest

There are two companies who share the network infrastructure with additional guest network.

The goal is to block/limit access between those networks but give them full access to the internet outside.
Currently I solved that with the following set of rules:

ACCEPT    Company-B   DNS   Company-A        (Give access to DNS Server of company A)
DENY        Company-B AnyServices    Company-A & Guest
DENY        Company-A   AnyServices    Company-B & Guest
DENY        Guest            AnyServices    Company-A & Company-B
ACCEPT    Company-A & Company-B & Guest        AnyServices     AnyDestination

This setup actually works.

I'm just curious if this is the only method to solve this or if there is a cleaner way.
For example would it be possible to define a destination group which includes the whole internet but excludes all internal networks?

This thread was automatically locked due to age.

BAlfson · Accepted Answer

Hi, Chris, and welcome to the UTM Community! 
 "a destination group which includes the whole internet but excludes all internal networks" 
 In fact this is the "Internet" object, so you need to deny nothing and you can do all of the above, except DNS, with one rule: 
 {Company A, Company B, Company C} -> {Services} -> Internet : Allow 
 Normally, I would recommend sticking to DNS best practice , and you should do all of those things for company A, including Company B in step 1. I would use Ian's suggestion and not give Company B access to Company A's DNS. Do not allow the guests access to the UTM's DNS, rather force them to use the public OpenDNS or Google servers. 
 Cheers - Bob