Novell ZENworks 10 Configuration Management
An administrator that only has rights to a subset of the devices hierarchy can register devices in folders that they are not authorised to manage
This is working as designed.
ZAC's only reason for asking for credentials is to ensure that the person running the ZAC command is an administrator. Those credentials are not passed in as part of the registration request as registration does not require any authentication. If it did it would defeat the purpose of registration which is to get the device registered so long as it matches a rule, or a correct key is used.
To enhance security, you should ensure that only authorised people have access to registration keys, and that Default Registration rules are disabled.