I think you are pretty much there.
in terms of allowing access from your DMZ to INSIDE, limit it. legitimate traffic could be syslog, snmp to your management server.
in terms of proxy. you don't necessarily have to stick ity in your DMZ as the outside would not attempt to connect to it.
here is a good read about the concept:http://etherealmind.com/design-enterprise-dmz-firewall-clusters/
Please remember to rate useful posts, by clicking on the stars below.