Using the "Global" zone is actually good when permitting a traffic.
For us it wasn't that good as what we were trying to do was to block traffic sourced from China to one of our web servers which had a policy already in place Untrust --> DMZ_Web source-Any; destination-MIP(Web_server); services(80,443); action (permit)
So the traffic coming from China will always hit the Untrust-->DMZ_Web policy and will be permitted before Global policy Untrust-->Global source-china_range; destination-any; services-any; action(deny)...
What we have actually done was to create a separate policy for Untrust --> each DMZ (about 20 of them)
Untrust --> DMZ1,2,3... source-Denied; destination-any; services-any; action-deny where "Denied" is an group where we keep adding new IP/subnets which we should not expect any traffic from
The rule has to sit in front of the access list to block the traffic before it will be permitted.