Currently we have a setup like this:
LAN (private IP range) | ISA (private IP on internal NIC public on external) | DMZ (public IP range) | PIX (public IP on internal NIC and public IP on external NIC
At the moment as well as having a web server in our DMZ we use ISAs server publishing feature to allow access to various websites located on the LAN.
The external NIC on the ISA has several public IP addresses bound to it and we have 1:1 rules that translate "Public w.x.y.z - LAN w.x.y.z - port 80/443".
At the moment the ISA controls outbound access at protocol level by both domain account and IP address.
I'm looking at putting in some sort of appliance such as a Blue Coat to control outbound http/https/ftp access, which leaves me needing a cheap but reliable and easy to administer firewall that will do what the ISA currently does at a protocol level so I can define outbound access IP address (assuming the Blue Coat will handle 99% of "by user" requests).
The ISA machine is due to be replaced in a couple of months and if we do invest in a Blue Coat I'm not sure I can justify the cost of a server of sufficient spec to run ISA, the cost/maintenence of Windows 2003 plus the cost/maintnence of the ISA Server itself when we would probably only be using the bare minimum features.
Whenever I've looked at this sort of thing I've always been quite taken by m0n0wall as it seems an ideal example of a bare bones firewall that will run on "that old box in the corner" but it's the server publishing stuff that's throwing a spanner in the works as most things I know of seem to do port based publishing rather than 1:1 publishing with multiple public IPs to multiple private IPs.
Hope that makes some sense!