Full configuration details for immutable zones are covered in Chapter 7, Zones in Solaris 11, but it is worth mentioning the rationale for them here.
To have an almost hack-proof system, it is very effective to take away write access from it as much as possible. If you are willing to run your services in a zone, it is possible to configure that zone as an immutable zone. This allows you to render filesystems and even service configurations as immutable (that is, non-writable).
Most remote attacks succeed by eventually writing corrupted data to the filesystem, and then taking more control from there. If they cannot write to the filesystem, many avenues of attack are closed. Furthermore, if they cannot deface the site, or store their own files, the incentive for taking over the system may also have been removed.
There are varying levels of immutability possible. If your services will not run in a fully read-only zone, it is possible to allow access to /var
, and a few other filesystems...