You can use the built-in Not allowed resource types policy. When assigning it you can choose which resource type to not be allowed. In your case dnszones.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.