Users can sign up to the web interface in a virtual host domain different from their own domain by using their full email address:
firstname.lastname@example.org can login at mail.domain2.com if using the full email@example.com email address as login id.
This shouldn't pose any particular security issues (or does it?) as the user still sees his own mail. Also a user would have to know that another domain is using zimbra (and on the same zimbra install). However, it's messy. It's also liable to create FUD in the minds of end-users and corporate admin clients if they ever encounter this behaviour.
Is there any way to prevent this, and force a user in a given domain to only be able to login in the web mail page for that domain ? That is, firstname.lastname@example.org can only log in at mail.domain1.com
email@example.com can only log in at mail.domain2.com