Can somebody give me an example for a firewall rule defined in GZ but affecting a zone with exclusive IP?

The easiest way is to place the ipf.conf, ipf6.conf and ipnat.conf files in the global zone under <zonepath>/etc where <zonepath> is what's shown against that property in `zonecfg -z <zone> info zonepath`

The zone framework will apply the rules automatically when the zone boots.

To view a zone's inbound rules from the GZ is `ipfstat -G <zone> -il` or `ipfstat -z <zone> -il`. The former (with -G) shows the zone rules that are managed by the GZ, and with -z shows the rules managed from within the zone.