Umar, I would also add that you may want to reach out to your local support engineer from your re-seller and let them work with you =on the best way to secure your systems. As stated before layer 2 vlans have zero cross talk or leakage between them. When you add an ip address to the vlan and enable IP forwarding you have opened those two vlans to be able to route traffic back and forth between vlans via the layer 3 interfaces.
A good SE should be able to guide you with the best way to proceed with the least amount of impact on you users. There are many ways to do what you are trying to do and the key is fully understanding your network and who and what needs access to what segments of the network.
Good luck