The way I would set it up, and how I am currently working on doing it is have one NIC for your internet connection, one for the DMZ which will be nothing but servers (web, ftp, mail, etc) that people from the internet can connect to. then have a third nic for the "private network" that will not allow any inbound conncetions from the internet unless started by the client machine inside the private network.