As many active zones you need are possible; see: firewall-cmd --get-active-zones But only one zone per interface.
And there is the problem. I have one NIC so one interface. I have a router in front of the system on which I am running firewalld. The router forwards some ports to the system. I am using firewalld to protect the system from IPs trying to break in to it.
I have an active zone on the interface which defines services that are permitted and their ports. I have been using direct rule to use ipsets to blacklist IPs. When I updated to version of ipset and firewalld that are in Fedora 26, the direct rule quit working. That may be a bug or bugs or a change in use. Either way, firewalld is no longer blocking the IPs in the ipsets I have defined.
John
firewalld-users@lists.fedorahosted.org