Users can sign up to the web interface in a virtual host domain different from their own domain by using their full email address:

user1@domain1.com can login at mail.domain2.com if using the full user1@domain.com email address as login id.

This shouldn't pose any particular security issues (or does it?) as the user still sees his own mail. Also a user would have to know that another domain is using zimbra (and on the same zimbra install). However, it's messy. It's also liable to create FUD in the minds of end-users and corporate admin clients if they ever encounter this behaviour.

Is there any way to prevent this, and force a user in a given domain to only be able to login in the web mail page for that domain ? That is, user1@domain1.com can only log in at mail.domain1.com
user2@domain2.com can only log in at mail.domain2.com