It seems I found a solution:
- add the ZoneMap Keys under HKLM like this
[HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.com] - add both locations WOW6432Node and standard path because iexplore.exe may use a 64 or 32bit tab.
- also in both locations
[\ZoneMap]
"IEHarden"=dword:00000000
removed all GPOs regarding ZoneMap.
result: the zones apply to all users on that machine.