Q: Properly separating trust domains

["Bill Stout" <bill.stout () aristasoft com>]

[My rust will show here]

What is the best practice to separate networks based on trust level?

Say for example you have a large pool of webservers on the DMZ.  You then want to connect those to a pool of 
application servers on a back-end network.  Can you then: I'net---FW---www----apps, or do you have to 
I'net----FW---www---FW---apps?

O.K., question set differently.  Say for example you have W2000 serving out subscribed (captive) applications, and you 
use the W2000 system as a proxy between a green and an isolated blue network (dual-homed).  Can you then: 
I'net---FW---WTS----apps, or do you have to I'net----FW---WTS---FW---apps?

Does the separation between trust domains have to be a traditional security device, or can a computer running an 
application itself be a proxy?  Does the blue net technically turn green?  

Bill Stout