I am not sure if I really get the problem, but with my customers that want the strictest access-control I typically have 3 or 4 statements per VLAN:
1) Allow to internal ressources (this could be multiple entries)
2) Deny to RFC1918
3) Allow to Internet-Ressources (this could be multiple entries)
(4 Deny to any)
And not to forget to place similar rules indo the S2S-Firewall.