The default policy on the SRX is deny. So any traffic that you do NOT have a rule to permit between the zones will be denied by the firewall without any further need for configuration. Generally you only need to add deny rules like that if you need to log the behavior for reference as the default deny is silent and does not log.
VMware supports having tagged interfaces for the vswitches inside the hypervisor. So you can have a vswitch for each of your zone LAN segments and put them physically on the same port to the EX switch. This will be a trunk port setup that includes all three VLANs.
On the VMware host, you can choose per vswitch which ones permit management. on the vswitch setup you check the box to allow management on the desired vswitch VLAN and simply leave it off on the others. Then you can only manage the ESX server on the desired network segment.