Policy Block - URL and Cloud App Control vs SSL Inspection Policy


When reviewing our SSL Inspection policy, I noticed there was a “Block” option in addition to Do not Inspect and Inspection.

This prompted me to think - why does that option exist if we can block URLs/applications via URL and Cloud App Control?

Do Zscaler nodes do a second round of URL and cloud app control policies after TLS traffic is decrypted? I know ATP, malware protection, file type control uses additional information which is encrypted, but does URL and Cloud App control use that additional info?

About Policy Enforcement | Zscaler has details but I’m not 100%