Personally, I would use the Firewall settings on each office PC [electing to turn off file sharing on the zerotier link, or declaring it a public link and only allowing RDP], as it is good practice to assume your internal network may turn hostile one day. As it is, the config you have there looks like it might work.
Try it with one client and one PC, then see if you can access the things you want blocked.
If it works as expected, then you can set up the remaining machines with your settings.
Note: I’m using the approach of implementing a test system, seeing if everything works as expected, then rolling out the changes to everything else.