Which three of these statements about a zone-based policy firewall are correct?
(Choose three.)

A.
An interface can be assigned to only one security zone.

B.
By default, all traffic to and from an interface that belongs to a security zone is
dropped unless explicitly allowed in the zone-pair policy.

C.
Firewall policies, such as the past, inspect, and drop actions, can only be applied
between two zones.

D.
In order to pass traffic between two interfaces that belong to the same security
zone, you must configure a pass action using class-default.

E.
Traffic cannot flow between a zone member interface and any interface that is
not a zone member.

Explanation:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-designguide.html
A -> An interface can be assigned to only one security zone. so it is correct
B -> is just partially correct: All traffic to and from a given interface is implicitly blocked
when the interface is assigned to a zone, except traffic to and from other interfaces in
the same zone, and traffic to any interface on the router
C -> Traffic cannot flow between a zone member interface and any interface that is not
a zone member. Pass, inspect, and drop actions can only be applied between two zones.
D -> Traffic is implicitly allowed to flow by default among interfaces that are members of
the same zone; so D is not correct
E -> Traffic cannot flow between a zone member interface and any interface that is not a
zone member. Pass, inspect, and drop actions can only be applied between two zones.