I divided the server into functional parts: web, mail and users, each has its own separate zone.
storage/zones/mailzone 758M 20.5G 717M /zones/mailzone
storage/zones/mailzone@stable20080502 41.0M - 693M -
storage/zones/userzone 167M 20.5G 128M /zones/userezone
storage/zones/userzone@stable20080502 39.2M - 166M -
storage/zones/webzone 2.36G 20.5G 519M /zones/webzone
storage/zones/webzone@stable20080502 8.03M - 517M -
storage/zones/webzone/webcontent 1.85G 20.5G 1.85G legacy
storage/zones/webzone/webcontent@stable20080515 0 - 1.85G -
I have created a stable snapshot for all filesystems, if anything should happen to any of the zones or their data, i can quickly rollback to a known state in a few seconds. Also none of the snapshots are available from within the local zones, hence the legacy mount of webcontent.
On top of this i restricted the maximum addressable amount of memory for each zone to a few hundred megabytes. This is done the with zone.max-swap resource control. I also used Fair Share Scheduling and dedicated 100 shares to the global zone and 10 to each of the other zones.
I also disabled unneeded services in the local zones, it can save a few hundred MB of memory for each zone. Disabling svc:/system/webconsole:console saved about 175MB per zone.
I found this setup very useful for internet connected servers, create one zone per service and only have that service activated in the local zone. Secure the global zone and only use it for administration of the local zones.