Your approach goes the wrong way. You need to make sure that none of the files in the ZIP file are ever going to be used in a situation in which malicious files could do any damage.
You will never be able to guarantee that an uploaded ZIP file contains only non-malicious data. To do that, you would have to virus scan it, parse the containing PHP code, and whatnot.
Just see that whatever maliciousness is contained, can never unfold.
For PHP scripts, for example, you would have to ensure that they are not stored anywhere where they can be called from the outside, and executed.
For images.... Well, if you want to make totally sure they don't contain any exploits that attack image displaying components, you could always copy them using PHP´s
gd functions, destroying any EXIF Metadata (and probably any other harmful stuff) in the process.
There is still some basic sanitation one could and should do. Check out this question (link below, markdown seems broken right now) for more reading on the issue - especially bobince's answer and the link he posts. That taught me a lot.