Policy enforcement - SSL inspection

Hello Zscaler community,

I hope you’re doing great :slight_smile:

I’m a little bit confused regarding how policy gets enforced for SSL traffic.
About Policy Enforcement | Zscaler, I’m following this logic, depending that i’m using the ZCC or my PAC file, means it’s explicit proxy. Which means, there is a CONNECT request.
First, Evaluate policies on CONNECT request:
means the URL and Cloud app policy, then evaluate the SSL inspection policy, for example I have Do not SSL inspect and Evaluate OTher policies, which means that we are going to re-valuate the URL and Cloud policies again for the same SSL traffic?
I though that the SSL policy comes first which makes sense with the whole( Evaluate or bypass other policies).
Can anyone clarify this please?