how to exclude some routes when user is not logged in zfcuser?

Question 1

Simple Way:

in controller:

if (!$this->zfcUserAuthentication()->hasIdentity()) {
    return $this->redirect()->toRoute('route_to_login',array('param' => $param));
}

Some more: (after auth zfcuset will redirect you to previous controller)

in module.config.php

'controllers' => array(
    'invokables' => array(
        'zfcuser' => 'Application\Controller\UserController',
    ),
...
),

next copy file vendor\zf-commons\zfc-user\src\ZfcUser\Controller\UserController.php to module Application (same folder as in module.config.php)

delete all function except authenticateAction add: use Zend\Session\Container; and change return $this->redirect()->toRoute($this->getOptions()->getLoginRedirectRoute()); to

$redirect_session = new Container('redirect');
        $redirect = $redirect_session->redirect;
        if($redirect!='')
        {
            unset($_SESSION['redirect']);
            return $this->redirect()->toRoute($redirect, array('lang' => $lang));
        }
        return $this->redirect()->toRoute($this->getOptions()->getLoginRedirectRoute(),array('param' => $param));

and at last add in controller

use Zend\Session\Container;
...
if (!$this->zfcUserAuthentication()->hasIdentity()) {
            $redirect_session = new Container('redirect');
            $redirect_session->redirect = 'route_to_this_controller_action';
            return $this->redirect()->toRoute('route_to_login',array('param' => $param));
        }

Question 2

I disagree with the selected answer because it's not really practical to do these kind of things inside every action of every controller that you want to deny access to.

There are two big modules out there that are used for this task. The first one being BjyAuthorize and the other big one being ZfcRbac. Please check them out. ZfcRbac is my favorite (because i wrote documentation for it) but it requires PHP 5.4+