I think you are doint the same traditional split tunelling where RA users can access corporate network and internet. This involves the below stage ,
Please remember the ACL should specify the traffic to be protected . Please follow this link :
NOTE : you can either excludespecified or tunnelspecified
Please rank this post .
Here is the config:
This will encrypt traffic & send over vpn to that destinsation, everything else will be routed locally.
In your scenario, you could try try permit any over the tunnel & deny the zoom meeting IP addresses - not sure if that would work but might be worth a try.