This isn't possible if either using, the web portal, Zimbra desktop or Outlook for the Zimbra Network Edition if 'Allow sending email from any address' is not checked.
A colleague found that if you enter Prefrences and edit your Profile (Main Account) you can cahnge the "From" data to any other existing account (name, email address) and later send a message impersonating this account without knowing its password.
If using pop3 or IMAP, there are no controls. To turn this feature off:
In the administrative portal, go to the user's class of service (COS), under Preferences, uncheck:
Allow sending email from any address
Ben Franklin quote:
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."