I have a partial solution for this:

create new template 

- leave default rule 

a. create a new zone 

- add the servers you want access to 

b. create new service for servers 

- add a rule  in the new service , add protocol specific, example icmp,   add the zone where the servers are located 

(this will give you access to those servers ,for icmp ping only) 

 BLOCKING 

- in the template,  block the default rule 

* this should stop all traffic but it doesnt (which is the part  I am having trouble with ) 

any help would be appreciated.