diff --git a/test/integration/default/controls/zones_spec.rb b/test/integration/default/controls/zones_spec.rb
new file mode 100644
index 0000000..82382ba
--- /dev/null
+++ b/test/integration/default/controls/zones_spec.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+control 'zones/public.xml configuration' do
+  title 'should match desired lines'
+
+  describe file('/etc/firewalld/zones/public.xml') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+    its('content') do
+      should include <<~ZONE_XML
+        <zone>
+          <short>Public</short>
+          <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+          <service name="zabbixcustom" />
+          <service name="http" />
+          <service name="https" />
+          <service name="ssh" />
+          <service name="salt-minion" />
+          <!-- zabbix-agent -->
+          <port port="10050" protocol="tcp" />
+          <!-- bacula-client -->
+          <port port="9102" protocol="tcp" />
+          <!-- vsftpd -->
+          <port port="21" protocol="tcp" />
+          <protocol value="igmp" />
+          <!-- something -->
+          <source-port port="2222" protocol="tcp" />
+          <!-- something_else -->
+          <source-port port="4444" protocol="tcp" />
+          <rule family="ipv4">
+            <source address="8.8.8.8/24" />
+            <accept/>
+          </rule>
+          <rule family="ipv4">
+            <source ipset="fail2ban-ssh" />
+            <reject type="icmp-port-unreachable" />
+          </rule>
+        </zone>
+      ZONE_XML
+    end
+  end
+end
+
+control 'zones/rich_public.xml configuration' do
+  title 'should match desired lines'
+
+  describe file('/etc/firewalld/zones/rich_public.xml') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    it { should be_grouped_into 'root' }
+    its('mode') { should cmp '0644' }
+    its('content') do
+      should include <<~ZONE_XML
+        <zone>
+          <short>rich_public</short>
+          <description>Example</description>
+          <rule>
+            <source ipset="fail2ban-ssh" />
+            <service name="ssh" />
+            <accept/>
+          </rule>
+          <rule>
+            <source ipset="other-ipset" />
+            <service name="ssh" />
+            <accept/>
+          </rule>
+        </zone>
+      ZONE_XML
+    end
+  end
+end