A `deny` is required when you want to make an exception from a more general, subsequent `permit`, e.g. if you don't want a single node to access another subnet, a host, or the open Internet while all the others in the same subnet (or zone) are granted access, e.g. deny 10.0.1.99 access to anywhere else while other nodes from 10.0.1.0/24 are permitted:
deny ip 10.0.1.99 0.0.0.0 0.0.0.0 255.255.255.255
permit ip 10.0.1.0 0.0.0.255 0.0.0.0 255.255.255.255
Using `permit` only and relying on the ultimate, implicit `deny ip any any` would require many more rules.
You can also use that logic to explicitly deny traffic that you don't want and then permit everything else.
Additionallly, putting an explicit `deny ip any any` at the end of an ACL may be helpful for people not accustomed to reading ACLs. Also, adding the `log` option allows you to create log entries which the default implicit deny doesn't.