Hi Aniket,
Since the destination IP address to the internet sites is unknown and traffic to other VLANs can be summarize 10.0.0.0/8 I would do one ACL and use it to bind to all VLANs
10 deny src any dst 10.0.0.0/8
20 permit any any
Note: this ACL would also prevent workstations from communicate between each other inside the same VLAN.
If this is not desired scenario than there needs to be ACE added to allow traffic within VLAN just above deny.
Please find below document which can guide you through Web GUI configuration:
http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=1a4bb16b5d00434da5f6095746775abe_IPv4_Based_ACL.xml&pid=2&respid=0&snid=4&dispid=0&cpage=search
Regards,
Aleksandra