Hi,
1. Yes, For each context (from-zone x to-zone y), after the user-defined policies, at the end there will be a default deny (implicit) rule .
2. Yes , Use Deactivate ( this applies not only for policies, but for any config hierarchy) . For example ,
deactivate security policies from-zone INTERNAL to-zone INTERNAL policy restrict-specific
To reactivate it , use activate security policies from-zone INTERNAL to-zone INTERNAL policy restrict-specific
3. If the traffic is getting denied by default policy (implicit) ,you will not be able to see it in logs. If required , at the end we can have a policy with match condition any,any,any and action deny +log , then we can see all the denied traffic logs using "show log rtlogd" .