To allow configuration of some items (WEB proxy, DNS server as example) SNF requires Internet Access. But SNF can be sensibly used in other environments as well - e.g. we often use firewall to temporarily connect some group of PCs to Intranet with different access policies (allow access to selected addresses only or allow only selected protocols etc).
I do not think SNF should restrict users here. In environments where SNF just (inter-)connects several networks there is no "Internet" at all. While it is possible to define one of zones as "Internet" it is very misleading, because it has some implied semantics w.r.t. default access policy and in such configurations it is usually wrong. -andrej
