This is really a question about how windows server multiple nic networking operates.
Since this is a public access web server you will have to make some firewall changes for the server to work at all if the default gateway is set to your trust network. The way windows works is that there can only be one default gateway assigned to one of the server nics. This is where all traffic will be sent destined to any ip address that is not directly on the subnet of another NIC or manually created with the route command.
So what happens is that your firewall forwards the public ip traffic to your web server but the server on the DMZ nic. But your server then responds out the trust NIC. This response then gets NAT on the firewall trust to untrust zone and appears back to your requester as coming from a completely differerent address and port.
If you want to stick with this setup, you will need to source NAT the inbound web server traffic to the same subnet as the DMZ zone so that the windows server will respond out the same interface.
The simpler solution is the first one Doug suggested. Put the default route on the DMZ and create any additional static routes you need out the trust nic for additional segments. This allows you to have the two direct connections with the minimum of external configuration.
Yes, setting up a fully protected and segmented DMZ is more difficult. But there are really good reasons to not have a direct NIC to the trust zone from a DMZ server at all and control the access needed with policies.
- Should the web server become compromied the hacker will not have full access to the trust zone but only the limited ports opened for server to server communications
- You can create a rule set that only allows the server to initiate communication on the needed ports to other servers but not the rest of your network.
- Your computer to DMZ rules will only allow computers to use the web site services but not allow hackers to enter the trust network from the DMZ
- Your mgmt to DMZ rules only allow traffic in this direction and do not provide access ports for hackers on compromised servers
As a matter of policy, all of the companies I have worked at in the last 10 years do not allow web browsing from server platforms as a security precaution. Especially in today's current environment of drive by web compromises we are better safe than sorry. So all web browsing and reseach is done on workstations with downloaded files transfered to the server of implementation. The only direct web access is for windows updates or direct copy links for installed programs if the downloads are really large.