You can only use interface NAT in one place. So for the DMZ to access the internet you need to enable NAT on the policy that allows the internet access.
Web interface:
edit the dmz to untrust policy
Advanced settings
check off source NAT
CLI: Where 2 is the number of your policy
set policy id 2 from "dmz" to "Untrust" "Any" "Any" "ANY" nat src permit
Also, you don't have to use interface NAT with a dynamic address (at least in 6 I'm assuming this is the same). The DHCP interface function takes care of the default route. I have all my NAT in policies even at the site with a dynamic IP.