You can set the ACL for a folder and its content, for example:
chmod -R +a "everyone deny write,delete_child" <folder>
If you create the zip archive with ditto the ACL should be retained:
ditto -ck <src folder> <dest>.zip
or better: as .dmg.
Indeed, you forced me to do so 
: After 3 times double-clicking, then re-extracting the zip (I thought the .pkg got corrupted upon expansion), and double-clicking again I finally looked inside the “.pkg”.
But don’t worry, from now on I know how to deal with Dan’s special .pkg bundles…
Edit: Just noticed that I’m in the wrong topic. I thought I was in your other Spotlight topic.