In Normal Block Policies:
If it is a normal URL Filtering & Cloud App Control policy or any other policy, you will be presented with the block page because Zscaler inspect that traffic and decrypt the CONNECT request as they can allow some packet exchange for those URLs as those are not harmful. Zscaler will then send a 403 response code along with a reset from their side and a HTTP page which shows the block message.
In case Malicious Block Policies:
If it is a malicious URL and it is listed on Zscaler side, they block it on the CONNECT request only. Zscaler do not even decrypt that because blocking the connection on first request is their priority instead of showing a block page. As it is a security threat, they will send a reset packet right away instead of decrypting and then sending reset after a block page.
