The model logical architecture released a while ago by Microsoft for a corporate MOSS deployment includes a configuration that really had me wondering "Why?" - that is the use of the custom zone for administrative access to all the sites.
One answer I have come up with - by assigning a policy to the custom zone for the SharePoint administrator user group, and granting full control in this policy, then the administrators are guaranteed to have full control over all sites and content in the delpoyment. Note that this is assuming an AD group named "SharePoint Administrators" exists in the domain.
The permissions applied in a policy override all other permissions in sites, so even if a user with site admin rights had removed all explicit permissions for the SharePoint Administrators user group from their site, the policy enforces access.