I get the basic principle of zones: the idea seems to be that you create zones at the top level from specific devices, and then you add a (broadly) location based sub-zone with IP ranges.
Unfortunately, this is not quite what I want to do. I want to be able to create
These will cross-cut - every division will have its own domain controllers, file servers, PCs, etc. How would you suggest I go about this?
It's precisely because I do want to do permission based separation that I'm using zones for the device types.
The way that the data sources have been defined means I cannot easily adopt the approach for business divisions that you suggest, mainly because a huge number of them are already collected as clients of two large Windows forwarding servers.
So, it's always hard to envision how someone has configured their devices and whatnot with just a few sentences.
But the key factors are;