Have you tried using the "Guest Access" access type in the WLAN configuration? It automatically configures the correct set of subnet rules such that they only have access to the Internet, and are isolated from each other as well.
As John said , Guest access (Type)should isolate the client .
Another option: You can also define L3/4/IP address access control lists and apply them to WLAN l. Set up a L3/4/IP address access control list to allow or deny wireless devices based on their IP addresses.
I am afraid there is no option in ZD to get a notification whenever a guest tries to access a specific Ip that is restricted.