Source/destination fields can contain both zones and IP addresses in the same cell.
Service field can contain both "services" (mostly port-based with handlers for some of them), and "applications" (which use Layer 7 signatures).
However, these are treated as "or" and not "and" as you seem to be suggesting you need.
If you're trying to match zone AND IP as part of a source/destination (meaning traffic must match both zone and IP), you will need to break it into two rules and use Inline Layers similar to:
In the main policy, Rule 3 matches if the source/destination zones are InternalZone and ExternalZone respectively.
If this rule does not match, the 3.x rules are skipped.
If this rule matches, then the subrules apply (for example 3.1 allows traffic between test and test2 and 3.2 blocks all other traffic from Internal Zone to External Zone).
To add an Inline Layer, change the action to Inline Layer and select the relevant blade(s) that will be active on that inline layer.
There are a couple limits on policy layers: can't push them gateway versions prior to R80 and you can have a total of 251 layers in an Access Policy.
