They should sanitize their input so people can't just change a URL to see things they should not see. If you don't want someone to change a number, don't put the number in the URL.
You could configure the HTTP application defense, under the HTTP URL Control tab, to Deny all URLs that match a string (or part of a string). But, NO ONE will be able to go to those URLs then (through that rule). The firewall cannot make a decision on allowing a specific person to see a URL or not.