Non-global zones provide the following features:
Once a process has been placed in a zone other than the global zone, neither the process nor any of its subsequent children can change zones.
Network services can be run in a zone. By running network services in a zone, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software running within a zone is confined to the restricted set of actions possible within that zone. The privileges available within a zone are a subset of those available in the system as a whole.
Zones allow the deployment of multiple applications on the same system, even if those applications operate in different trust domains, require exclusive access to a global resource, or present difficulties with global configurations. The applications are also prevented from monitoring or intercepting each other's network traffic, file system data, or process activity.
Zones are configured as exclusive-IP type by default. The zones are isolated from the global zone and from each other at the IP layer. This isolation is useful for both operational and security reasons. Zones can be used to consolidate applications that must communicate on different subnets using their own LANs or VLANs. Each zone can also define its own IP layer security rules.
Zones provide a virtualized environment that can hide details such as physical devices and the system's primary IP address and host name from applications. The same application environment can be maintained on different physical machines. The virtualized environment allows separate administration of each zone. Actions taken by a zone administrator in a non-global zone do not affect the rest of the system.
A zone can provide isolation at almost any level of granularity. See Non-Global Zone Isolation for more information.
Zones do not change the environment in which applications execute except when necessary to achieve the goals of security and isolation. Zones do not present a new API or ABI to which applications must be ported. Instead, zones provide the standard Oracle Solaris interfaces and application environment, with some restrictions. The restrictions primarily affect applications that attempt to perform privileged operations.
Applications in the global zone run without modification, whether or not additional zones are configured.