Dan
There are parts of your post that I do not understand well but I have some comments that I believe address your concerns. If my comments do not resolve it then perhaps you can clarify some things and we can get to a resolution.
First I would comment on this in your post:
"I would have thought that a router would not forward traffic from one port to another w/o a rule specifically allowing this"
The basic operating principle of the router is that if traffic is received on one interface and the router knows how to forward toward the destination then the router will forward on the best path toward the destination. There is no need for any rule to allow this, and if there is some traffic which you want the router to not forward then you need to configure rules (access lists) to prevent it.
If you do not want these two subnets to talk to each other through the router then you need access lists configured to deny this traffic and to permit other traffic. You probably could manage to do this with one access list, but my suggestion would be to write two access lists. I would suggest placing an access list inbound on each of the interfaces to deny traffic to the other subnet and to permit other traffic.
HTH
Rick
HTH
Rick