How to define a Network Zone for Windows Update servers?

Today, I allow TCP out from svchost.exe to any IP address and HTTP ports in order to allow Windows Updates to work with Microsoft’s hundreds of servers. This creates a risk that malware could install a service and access the internet freely through svchost.exe. I would like to create a Network Zone for the servers used by Microsoft for Windows Update. Given that I live in the US, what exact entries should be in this Network Zone? Since Microsoft could change the IP addresses in the future, it seems that host names for the destination address would be best. Does this work with the Comodo firewall? If so, which host names should I use?

Microsoft rotate the IP address of their update servers within a given range for security purposes. The domains used for updates are:

http://windowsupdate.microsoft.com
http://.windowsupdate.microsoft.com
https://
.windowsupdate.microsoft.com
http://.update.microsoft.com
https://
.update.microsoft.com
http://.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://
.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com

However, you will need to use the IP address blocks in the Network zone as wild cards are not supported. I use:

213.199.144.0 - 213.199.159.255
65.52.0.0 - 65.55.255.255
207.46.0.0 - 207.46.255.255
64.4.0.0 - 64.4.63.255
94.245.64.0 - 94.245.125.255
213.199.160.0 - 213.199.191.255

Microsoft also use AKAMAI to host updates and they use a whole swathe of IP blocks, which seem to be partially geographical. I currently use:

84.53.146.0 - 84.53.146.255
92.123.68.0 - 92.123.71.255
217.212.252.128 - 217.212.252.255

These may vary for you. Best option is crank the settings up in the firewall to Custom Policy with alerts on vey high and run windows update a couple of times. This will capture the necessary information you need.

Edit: You will need to allow TCP Out on 80 and 443.

Thanks for the help Radaghast. I was hoping to do it with host names.

When I did a Windows Update recently, I saw an address outside of your ranges. I looked it up at http://www.netinfo.org.ua/, which showed that it belongs to Akamai Technologies. This info also shows the IP address range for the block of servers.