Block one web profile accessing another?

This behavior is a side effect of UTM's unique architecture.  It takes awhile to get your head around things.   UTM does not have security zones, and it has mutually-exclusive packet processors.   So you implement a zone by ensuring that all of the packet paths have been restricted.   We have tried to document this with articles in the Wiki section and in my Web Filtering Lessons Learned document at the top of the webfilter section.

My recommended way to block traffic between zones is in the Filter Action... Websites form.   Enter block rules for your internal DNS domain as well as your internal IP address range.  This approach works for both Transparent and Standard Mode proxies, and it leaves nothing to chance about whether both DNS and IP are restricted.

With transparent proxy, using the skip list works, because DNS resolution is done at the client.   When the traffic skips the web filter, it drops down to the firewall rules.   So you need a firewall rule to block traffic from the guest network to the internal network, but I assume you have that already because you need it to block other protocols.

Tags:

There is no "Tags Master List" form, instead tags are created as they are used.   Any place that accepts a tag will allow you to pick from the list of known tags or create a new tag.   One of the beauties of tags is that a well-chosen tag name helps to document what you are restricting.   In the Websites override list, you can use the search box to find all websites with a particular tag -- just enter all or part of a tag name and search.

This behavior is a side effect of UTM's unique architecture.  It takes awhile to get your head around things.   UTM does not have security zones, and it has mutually-exclusive packet processors.   So you implement a zone by ensuring that all of the packet paths have been restricted.   We have tried to document this with articles in the Wiki section and in my Web Filtering Lessons Learned document at the top of the webfilter section.

My recommended way to block traffic between zones is in the Filter Action... Websites form.   Enter block rules for your internal DNS domain as well as your internal IP address range.  This approach works for both Transparent and Standard Mode proxies, and it leaves nothing to chance about whether both DNS and IP are restricted.

With transparent proxy, using the skip list works, because DNS resolution is done at the client.   When the traffic skips the web filter, it drops down to the firewall rules.   So you need a firewall rule to block traffic from the guest network to the internal network, but I assume you have that already because you need it to block other protocols.

Tags:

There is no "Tags Master List" form, instead tags are created as they are used.   Any place that accepts a tag will allow you to pick from the list of known tags or create a new tag.   One of the beauties of tags is that a well-chosen tag name helps to document what you are restricting.   In the Websites override list, you can use the search box to find all websites with a particular tag -- just enter all or part of a tag name and search.