I’m sorry, but your networking department are on crack or something like that – they clearly do not understand what the purpose of a DMZ is. To summarize – there are three “areas” – the big, bad outside world, your pure and virginal inside world, and the well known, trusted, safe DMZ.
The rules are:
- Connections from outside can only get to hosts in the DMZ, and on specific ports (80, 443, etc);
- Connections from the outside to the inside are blocked absolutely;
- Connections from the inside to either the DMZ or the outside are fine and dandy;
- Only hosts in the DMZ may establish connections to the inside, and again, only on well known and permitted ports.
Point four is the one they haven’t grasped – the “no connections from the DMZ” policy is misguided.
Ask them “How does our email system work then?” I assume you have a corporate mail server, maybe exchange, and individuals have clients that connect to it. Ask them to explain how your corporate email, with access to internet email, works and is compliant with their policy.
Sorry, it doesn’t really give you an answer.