Indeed. PIX can use local and centralised user databases for auth to the DMZ, and for the above configuration quite easy to setup, especially with the new PDM Java GUI interface. By default no low security interface can access a high security interface i.e. DMZ to inside, Internet (outside) to dmz or inside, unless expressly permitted.
Its very secure, no need to manage both Fw1 and the OS it runs on etc. Logging is to syslog, as per Cisco routers and numerous scripts and commercial apps can analysis this for you.
PS PIX is also a hell of alot cheaper ;)