ARP is usually not affected by firewalls, at least the common and most used. If you block ARP you are risking to lose connectivity, so blocking it is not that easy.
Regarding the other one with the gateway, I meant that PC Ax and ZS Site A should use default gateway the GW A and the others GW B. However this doesn’t provide failover in case GW A or B goes down.
ZS should be fine without messing with the firewall or any other setting on the BRIDGE interface.