Zone Install Path and Permissions

I've recently created a zone for Apache and MySQL on a colleague's workstation. The colleague works from the global zone, as it is his workstation, and I figured zones would be an excellent way of isolating his development environment from his workspace. He generally uses editors such as Bluefish and so fourth to edit the .php files in the zone's htdocs directory, which in the case is something like /export/zones/web-zone2/root/opt/coolstack/apache2/htdocs. He wanted the ability to save files to the htdocs directory from the global zone. Given the nature of zones, and the necessary security precaution that the zone install path should be chmod'd 700 or else the zone won't verify or boot, I had to come up with a way to boot the zone and still give him the ability to save directly to the htdocs directory in the zone without manually chmod'ing back and fourth.

I figured zoneadm or the other zone tools probably don't check for ACLs, just UNIX-style permissions, so I decided to give this a try:

# chmod A+user:dlapoint:execute:allow /export/zones/web-zone2
# chmod A+user:dlapoint:list_directory:allow /export/zones/web-zone2

Its nasty; however, it does work, and now he's able to read and write files to that htdocs directory without having zoneadm -z verify or zoneadm -z boot gripe about the permissions on the zone install dir being 'insecure'. There are some other ways I could've gone about this, such as sharing the htdocs from the global zone with web-zone1, but I felt that didn't provide the level of isolation that was desired.