Indeed, it doesn't work.
After looking at this for a few minutes, I'm pretty sure that what you want to do is add a negative right for adminLoginAs to forbid it, rather than passively not allow it.
I couldn't apply the deny directly to a global administrator:
Denying access to global administrators seems to be a bit tricky. I was able to get a deny right in by creating a distro list with only a test account that was a global admin and setting the list as an admin group. Then I did:
ERROR: service.INVALID_REQUEST (invalid request: grantee must be a delegated admin account or admin group, it cannot be a global admin account.)
However, my test user still had the view mail button and could still login..
zmprov grr dl firstname.lastname@example.org grp email@example.com -adminLoginAs