AD network under a SonicWall needs specialized security

[Greg Kristy]

Yes, you can control access between subnets with intrazone firewall rules if you like, but the default for intrazone traffic is to allow it where by default interzone traffic is blocked.

All I mean is that to create another subnet on a firewall, ultimately all you have to do is assign an IP address with subnet mask to an Interface, and that creates a "directly connected" subnet for which will will automatically do routing. Depending upon the firewall, it will probably show up in the default instance of the virtual router or default vrf.

All I am saying is if you have multiple interfaces in the same zone and you assign them IP addresses and subnet masks this creates different subnets for which the firewall will do routing and not block the traffic between them.

******SOLVED********
I went to my colleague in desperation. He just fixed it and didn't elaborate much on the details, though he did not charge me. Now it turns out, this is precisely the correct approach. I had foolishly created a LAN2 address object. I should have just added X2 to LAN. Then some blocking was setup in the firewall rules. Tada. But in the process I've learned about: routing, NAT, Firewalls, source vs destinations vs. direction, That SonicWall configuration page is not the scary monster I once thought it was. Thanks everyone for your help
******SOLVED********