Update: My own fundamental misunderstanding of the IP tables or Firewall settings was my error. I was looking at the first INPUT CHAIN in the IP tables list and assumed it was allowing all connections. I learned that this part was referencing the SYS_GUI chain and SYS_HTTPS chain and those chains denied access to all but private IP ranges.
I disabled IP tables altogether and I was then able to access the GUI over the public IP, then I could easily add approved IP numbers in the WEB GUI config section. This will still obviously be an issue for anyone wanting to manage a remote ZS from a dynamic IP as you can only add a static IP to manage from, unless you get a proxy to manage ZS through but hey, a proxy is the whole functional point of installing ZS on a remote system like this so anyway…..