If you enabled both POP & IMAP during installation you don't need to do much server side. Just check your Class of Service setups to make sure IMAP is enabled, and any firewall settings.
As for IMAP - it works completely differently but in essence - IMAP shows the same folders to any client (web or desktop clients). There is no need to leave messages on the server with IMAP - it always does so unless the end user specifically moves messages to local folders.
I'd recommend reading in more depth about IMAP:
Internet Message Access Protocol - Wikipedia, the free encyclopedia
P.S. What security vulnerabilities are you referring to for POP3? I don't know of any such vulnerabilities. Do you mean with POP3 on Zimbra or in general? We do disable POP3 by default for users but just because we have too many people who will 'accidentally' setup some mail client as POP3 and have it download all their mail.