Typically the DMZ is designed as the first stop into any company that is connected to the Internet. Do not place any e-mail, databases or any other data that is critical to your company in this zone.
Place servers that you connect for authentication. Now when these devices connect back through the DMZ to say a database zone, create a network subnet with only those devices. This separates other internal systems from the external and provides a layered approach. Now, anyone needing to access say e-mail or other data (shares, files, etc) put them in another network off the DMZ. I always recommend firewalls at both sides of the DMZ and IDS systems external -- one in the DMZ, one in the Database zone and others more or less in all zones.
Security must be addressed as a layered approach. The first step is to filter all traffic before it enters the DMZ. So a router only letting in say port 80, 443 to the DMZ. Then the DMZ will only allow traffic such as any application in the DMZ e-mail, SMTP. Please no FTP, because it's too insecure.The DMZ should only allow valid traffic to the devices behind it.
For more info on this topic, please visit these SearchSecurity.com resources:
This was first published in January 2004