Firewalld Annoyances

What's the best way to get an EL7-based system to operate in an implicit-deny stance?

Under EL6, you'd just set the INPUT chain policy to "DROP", add just the exceptions you needed for things like SSH (and ESTABLISHED/RELATED to ensure that yum worked) and you were good to go. It seems like firewalld doesn't really offer a posture that doesn't at least send and ICMP-host-prohibited response to people probling your systems. Switching the default zone to the "drop" zone is more functionally-limiting than even just the EL6 method.

Personally, I'd rip firewalld out and just run naked iptables, but our IA team informs us that we have to run firewalld because that's the approved host-based firewall solution for RHEL7.

Ideas for how best to get back my RHEL6 behavior under firewalld? Right now, I'm about ready to murder my IA guys for focing me to have to screw with firewalld when I've got nine million things I'd rather be working on.