Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
...and...
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems
You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate connections to you. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN. This way, if your Host in DMZ is compromised, the intruder will not be able to compromise the other computers in your LAN.
The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So, if you are only running a web server, then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are refused at the border router/firewall.