I would create a DMZ for the internet based servers
I would suggest somethign more like
Inet
|
Inet router
|
ASA ---- DMZ with externally accessed servers
|
Interal router
|
Internal lans
As far as policy, I would allow the internet uses to access the DMZ resources only on the ports required for functionality.
Allow outboud from the internal network only on the ports required for work.
You actually need 3 seperate policys
1 for the outside interface
1 for the dmz interface
1 for the inside interface
You also need a translation for internal hosts to get out and to access the dmz resources.