Each user role is a subset of policies. Each policy is conducted by one or more ACLs.
If you want to check what policy is assigned to a given role then navigate to Configuration - Access Control and look for the certain role. If you edit this role you can modifiy the policies (change the order, add new one etc.).
If you want to fully block the access to internal networks then I suggest you to create a new policy which consists 3 deny ACLS:
ip access-list session "block-all-internal"
alias "user" network 192.168.0.0 255.255.0.0 any deny queue low
alias "user" network 172.16.0.0 255.240.0.0 any deny queue low
alias "user" network 10.0.0.0 255.0.0.0 any deny queue low
!
After it is done add the new policy to the role and move it to the top.
By the way the default guest role is built to only allow certain traffic (dns, http, https etc.) - you may check this in the Access Control menu as mentioned above, however, it lacks the policy which blocks the internal traffic.