...this is by design.
The SWG has always moved access to the webconsole from the Management Interface to the Inline interface and back, whenever the service is started/stopped. All the "Separate Management and Inline Networks" option does, is force the console to be accessible on both IP addresses.
I've asked Symantec about this before, as it's not very clear from the documentation what that option actually does; only that it is required if you want to enable either of the proxy modes. And obviously, it's a security risk.
It's not like there's even an option within the SWG to restrict access to the webconsole by source IP address either