Unless I’m missing something (which is certainly possible – Help doesn’t seem terribly clear to me on this issue), the current Network Zone implementation can be a huge security hole.
Even without the issue of IP address spoofing, it’s quite common for different networks to use the same private network addresses. One such network might be trusted, another might not, and there’s no real way for CIS to know which is which.
My personal notebook computer uses ThinkVantage Access Connections to manage networking Profiles (both wired and wireless), which gives me fine-grained control of all network settings (even the default printer) by Profile. The only automatic network Profiles I allow are by strong WPA authentication; all other network (inc. Ethernet) Profiles are by manual selection only. I’d like to see a similar network Profile and selection capability in CIS.
This is probably my biggest security issue with CIS.
p.s. ThinkVantage Access Connections has an advanced option to turn Windows Firewall on or off by networking Profile. Does CIS Firewall work properly with this option?