I guess it just turns out that the bot who listed me as open had simply
updated itself (removed me) and when it found me (open) again I was right
back to square one...

Back to the same old situation. - A rule with the private IP opens the
gates and lets loose the dogs of collision, allowing public proxying off my
public interface.

Offending rule: (TID 10013840)
Source Interface: <Any>
Destination Interface: <Public>
Src Port:80
Dest Port:1024-65535
Src Address:<Private IP>
Dest Address:<Any>

Essentially it seems the source interface of <any> combined with a private
IP creates a conflict so BM just throws up its hands and says, "Go ahead,
have it, this guys apparently clueless."

But changing the source interface over to the private interface that the
private IP is actually attached to seems like it should correct the
conflict and stop unwanted proxying, but then (along with its other half)
it still does not allow the desired traffic to flow.

Even adding a pair of <public> <<-->> <public> with <src> and <dest> set to
the (secondary) public IP of the server inside the wall doesn't help.

Its like its all or nothing....