The most important thing to remember about Network Zones under CIS is that, in isolation they have no meaning. That is, if I create a network zone and populate it with data, until I actually use that zone as part of a firewall rule, it’s not actually doing anything.
Another thing to remember, with automatic detection of new networks enabled, when you receive an alert, if you define a zone as either Home or Work, in addition to creating the zones, rules allowing inbound and outbound IP, for the IP address block defined by the zone, are added to the System process in Application rules and also Global rules. If you define the network as Public, a zone is created but no rules are added.
In all honesty, the zones are just a simple way of identifying collections of IP addresses, which can then be used in rules or for blocking etc.
Windows Profiles are slightly different, they’re defined as Domain, Private and Public. When you define a new rule you can decide which profile it belongs to, the default is all three and although the choice of profile is yours, a rule has to have at least one profile.
The Domain profile is for use when the client is a member of an Active Directory Domain and a Domain Controller can be detected. The Private profile is really the equivalent - sort of- to the Home zone in CIS, that is, it tends to apply to your local area network and so is relatively well trusted. By contrast, a Public profile is the least trusted.
One other point, Windows 7 (possibly Vista, I forget) and later, use a service called Network Location Awareness Service, which helps Windows identify what kinds of network you’re attached to and thus apply the appropriate profile.