In "Troubleshooting Zenphoto" and elsewhere, I keep finding recommendations to chmod this directory or that to mode 777. This is of course a completely unacceptable thing to have to do -- this means that any user on the server can overwrite any of your photos with anything they like, create new galleries, or delete everything you've got. This is a crazy requirement. If the package can't work without that in certain environments, tell people it doesn't work in those environments; some people don't know enough to realize just how dangerous setting directories to world write is, and will be angry with you when they find out!
There's maybe a similar problem with the mysql password and username in zp-data/zp-config.php; if that file is world read, then any user on the system can find out how to connect to the MySQL database with all my Zenphoto stuff in it, and mess it up, either destructively or creatively. The default install sets that file world read, and that's really not an acceptable choice. It may be more convenient, but it's too unsafe to make the default.
Obviously these are smaller concerns, though not completely irrelevant, if you're on a private server (virtual or physical). But most people are on shared servers, where there might be dozens or hundreds of other users with login rights, any one of whom could completely trash your photo galleries if these file and directory protections are set the way that's suggested.
Zenphoto
Comments
Shared hosts are what most of your users use and most sites are single or few user sites anyway (as far as we can tell) (I am on shared hosting myself, although that allows stricter settings).
As you know sadly not all servers are setup the same way so we can know about these so that setup will put out a warning about that quite obviously and also let you try to set stricter settings.