Software like Symantec Antivirus 2004 will scan inside ZIP files without you having to decompress them. It's virus scanning is good; and I believe its trojan horse scanning is acceptable; but it certainly won't scan for attached spyware or programs that are built completely with a malicious intent. You will need to download the ZIP file in order to perform a local virus scan on it.
To my knowledge, ZIP files are relatively safe to download to your computer, won't 'open themselves'. The problems only really begin if you decompress the ZIP file.
A lot of this is really about how confident you feel about the software's origin. If you grabbed it off CNET for example, your chances of there being a problem would be significantly less than downloading it from BobsHaKz.BIZ ;)
Yes, trying to carefully inspect the ZIP file to see what is inside is OK.
However, there is another less technical but more social approach: (1) Do you know the sender? If not: delete, don't care what surprise may be inside, just delete. (2) If it is a known sender - it may be a fake (there are viruses and worms propagating by hijacking friends' address books) - do you expect a ZIP file from her/him? If not: delete. (3) Otherwise ask back "Did you sent me some ZIPped file today? What's inside?". If you get a reply like "Huh? What are you talking about ...?": delete.
I normally just do this 'social' way of content judging and usually I am successfully finished with 90% of all spam cr*p after 0.1 seconds with just option (1), and with additional 9% after another 0.1 seconds with option (2). This is much faster that to open an 'unzip' or 'winzip', or even scanning, before discarding that cr*p anyway. The remaining 1% takes a bit longer, but also my step (3) actions I had so far finally ended in deletions.