For start, I was actually testing ConfigMgr cloud gateway management and Client Installation over Internet, see this post https://blogs.technet.microsoft.com/arnabm/2017/08/27/client-installation-over-internet/
I did managed install ConfigMgr client on AAD joined Windows 10 (version 1709), but I also want configure some Internet Explorer settings to my AAD joined device.
Since Windows 10 (version 1703), we can use Intune Policy CSP to configure more settings, it call admx-backed policies.
Here is how I make Site to Zone Assignment list setting using Intune OMA-URI
Works only on Windows 10 version 1709
Works both Windows 10 version 1703 and 1709
Let's check first Policy CPS list, InternetExplorer/AllowSiteToZoneAssignmentList is the one we are looking for, it tells admx file name is inetres.admx
Open gpedit.msc in Windows 10 (version 1709). Open Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List, there are two settings that you will need. Enabled, and Zone assignment list.
I use ADMX Migrator open inetres.admx, zone list Elements is ListBox, ID name is IZ_ZonemapPrompt, this is the ID I will need to use for assigning those zone list in Intune.
You can also just use notepad open inetres.admx, then search what is the ID you will need.
Go to Intune portal - Device configuration - Profiles - Create Profile
Click Add. Input the following information:
Name: AllowSiteToZoneAssignmentList (you can use anything you want)
Data type: String
<Data id="IZ_ZonemapPrompt" Value="https://login.microsoftonline.com2http://www.thesccm.com1"/>
So if want to choose "Enabled", value will be <enabled/>, if want to choose disabled, value will be <disabled/>
Because we need to input those sites to zone list, ID name is IZ_ZonemapPrompt, so we use <Data id="IZ_ZonemapPrompt"
In this article https://docs.microsoft.com/en-us/windows/client-management/mdm/registry-csp Supported date type, it tells:
Multiple strings are separated by  and ended with two  - A query of this parameter returns a multistring type.
You can find more information from internet about  (use search key word MDM )
In this case, I want to have https://login.microsoftonline.com in zone list 2 (trusted zone) and http://www.thesccm.com in zone list 1 (local intra), so I need to put  between those strings, and also in the end 
After create this profile, assign it to a user group.
In my Windows 10 machine, open Settings - Accounts - Access work or school, click on Sync, because I was using ./Vendor/MSFT/Policy/Config/InternetExplorer/AllowSiteToZoneAssignmentList, so those are device settings, you can find it under registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device
Generate Advanced Diagnostic Report
You should able to see this in your report.
Open Internet Explorer
If you can't see your policy, check Event Viewer - Applications and services log - Microsoft - Windows - DeviceManagement-Enterprise-Diagnostics-Provider, see if there is any errors about the policy you created, then start trouble shooting.