That is correct behavior.
Say you are on Vlan 3, you need to add block rules to Vlan 1 and 2 if you want to stop them from talking to each other and then alllow access to *
The issue is your machines on your vlans don't access your WAN IP, they are accessing whatever IP that DNS resolves for
www.website.com. So you need to allow access to * at some level. All ports or limit it to 53, 80 and 443 if you only want web access.
Remember rules are checked top down.
Hope this helps a little.