1) If possible, put the upload in a directory outside the HTTP tree, and pipeline all access to it via a PHP file. That's what I do for the wiki I run for my company (a very secure wiki -I konw, I know, it sounds like an oxymoron, but it really is very secure), and the PHP file validates permissions, based on the user session/cookies before serving the file.

2) If you insist on putting the uploads directory in the HTTP tree, drop a .htaccess file in there that defangs the contents. I just map all the file extensions for executables to plain text and turn off the PHP engine. That way, if someone directly accesses the file, they get it sprayed back as text. Not perfect, as they can still get the source or binary, but at least they can't execute it on your server.

how I can check if an uploaded with a zipped file or a SWF file

like
$f = fopen('uploaded-file','r');
$s = fread($f,4);
fclose($f);
if(does not start with PK or FWS) unlink(file)

This would not guarantee files are 100% of correct type, but at least one additional barrier for hackers