I administer my DMZ as a seperate network, with a seperate interface on the firewall and its own network policy. It is not a border, just a different subnet with its own physical topology that makes it easy for me to permit or deny whatever I want with affecting my office users. As a matter of fact, having a DMZ gives me the flexibility of having either tighter or looser security on that segment than on my office segment, depending on my needs.

Yeah, man, this isn't war. That would suck.