Zero-day malware isn't necessarily malware that just got created. It's malware that didn't get detected anywhere before. So the creation date has nothing to do with getting rated as unknown by Comodo. I hope I got you right tho...
You can delete all the trusted certificates in trusted programs certificates list and manually add each certificate from running process, from exes in programme files, other trusted programs in any other directory. Set the sandbox to run all non trusted programs to run virtually. Whenever you want to install a software which is not trusted, you can manually add the certificate and install it. Thus no other software will run on your system without your manual input. No zero day can escape this.