Blockchain-enabled IoT Access Control (BIAC) is a promising paradigm to achieve reliable and automatic access control management for IoT systems. Due to the involvement of blockchain which is transparent, account privacy is easily violated in BIAC. Motivated by the recent progress of utilizing Zero Knowledge Proof (ZKP) to protect account privacy in cryptocurrencies, this article systematically investigates a ZKP-based privacy-enhancing BIAC architecture. We summarize the design principles as authenticating transactions with ZKP proofs instead of digital signatures so that permissions are linked to off-chain secrets rather than on-chain accounts. However, since the ZKP proofs are stored on the blockchain, an adversary may launch replay attacks to access resources illegally. To tackle this challenge, we carefully design two account-hiding transactions as well as validation rules for the classical capability-based AC (CBAC) model, where all ZKP proofs expire once used. The enhanced system preserves all necessary functions of CBAC while achieving permission invisibility and requester anonymity. We implement the designed ZKP operations, where the evaluation results demonstrate our solution incurs low overheads.