Release v2.2.4: permission check InheritOnly fix and DSInternals block detection

Test-ReplicationPermissions:
- Skip InheritOnly ACEs since they do not apply to the domain root
  object itself, only to child objects.

Test-WeakADPasswords:
- Detect Windows Zone.Identifier blocks on DSInternals DLLs and
  emit a clear error with the exact Unblock-File remediation
  command instead of a vague warning.

All versions bumped to unified v2.2.4.

Test-WeakADPasswords.ps1

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
@@ -352,7 +352,11 @@ function Import-CompatModule {
 
         $nonFipsErrors = @($importErrors | Where-Object { $_.Exception.Message -notmatch 'Only FIPS certified cryptographic algorithms are enabled in \.NET' })
         if ($nonFipsErrors.Count -gt 0) {
-            Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsErrors[0].Exception.Message)
+            $nonFipsMsg = $nonFipsErrors[0].Exception.Message
+            if ($nonFipsMsg -match 'Zone\.Identifier|alternate data stream') {
+                throw ("DSInternals native DLL is blocked by Windows (Zone.Identifier). Run the following on the target machine and retry:`n  Get-ChildItem -Path '$env:ProgramFiles\WindowsPowerShell\DSInternals' -Recurse | Unblock-File")
+            }
+            Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsMsg)
         }
 
         Write-Verbose ("Imported module '{0}' (Core={1}, Windows={2})" -f $Name, $runningInPSCore, $onWindows)