We are starting to investigate vShield zones.
I have an architectural question for you. I understand the vShield Zone can carve up VMs and put them in different security zones. In this way, it restricts servers' traffic to each other.
How do clients deal with the security zones at this point? Can I restrict (by IP) an end user from accessing a secured zone? Or does vShield Zone only deal with internal traffic in the vDC?
Yes, you can create rules based on IP address/subnet to restrict access to your secured VMs. With the licensed version or vShield App you are also able to create firewall rules around VC containers (Datacenter, Cluster, Resource Pools, vApps) and VLANs. So you could create a rule that says for example: From 'Outside Web Servers Cluster' block any/any tcp/udp and only allow port 80 and 443. At this point you are not using IP addresses in the rule so you can technically re-IP the VMs in this Cluster and not have to tweak your firewall rules. Also any new VMs added to this cluster will automatically inherit these firewall rules.
One additional feature of the licensed version is that if IP, Subnets, VLANs, VC containers are not enough you can use the 'Security Groups' feature, which allow you to take vNICs off of any virtual machine and group them into a 'security group' that can then be used to create new firewall rules.