By default the LAN Zone has Interface Trust enabled, which means all interfaces within the same Zone trust each other (pass traffic). Go to Network, Zones, and Edit the Zone in question (LAN) and remove the checkmark from Allow Interface Trust. This will remove the auto-added LAN<->LAN Allow ANY/ANY/ANY rule.

By default traffic between Zones is only allowed from “more trusted” to “less trusted” (but not the other way. Eg. from LAN to DMZ but not DMZ to LAN).