the basic concept is to take a PC running a 'hardened OS' (one that runs no services except the firewall), usually equipped with three (3) NICS. One for the 'outside' (if you use this arrangement to replace your normal router/firewall/switch device), it should be hooked directly to your providers incoming line. Call this Zone 0. One for the DMZ, this one can be hooked to another switch/hub or directly to the server device you want the outside world to be able to access. Call this Zone 1. The third and last interface is for your internal network. It can (the DMZ) be hooked into a switch/router in order to maintain your internal LAN. Call this Zone 2. That should give you a basic diagram (when converted from words) of how the box both looks and interfaces between your provider and your internal network. Zone 0 should be set to acquire an IP address from the provider, i.e. setup for DHCP. It should also act as your 'master DNS relayer. What this means is that all your internal and DMZ machines will query this interface to do DNS resolutions. Zone 1. This should be setup with a static IP address. I recommend using something in the 10.0.0.X range for DMZ machines. This will handle all of the machines in your DMZ.
Zone 2. This should be setup with a static address (something in the 192.168.0.X range), further it should be setup to do DNS Relays for any machines in your LAN. It should also be setup to hand out DHCP for your internal LAN. From here, you get to build your firewall rules using whichever flavor of implementation you choose. Key to the entire approach is this. As the Zone #increases, you want more controls in place. This prohibits traffic flow. This is what a firewall does. Using this approach can be cumbersome unless you have some fundamental background in security concepts. However, it gives you a great deal of flexibility and does not cost as much as a true hardware-based solution does.
This is a simple way of implementing a DMZ, a more expensive way is using two hardware firewalls or firewall enabled routers to construct a DMZ. One firewall facing the Internet and protecting both the DMZ and your internal LAN and the second firewall protecting your internal network from your DMZ as well as the Internet. The DMZ could host servers like the DNS servers, web servers etc. With a web server in the DMZ it means the internet facing firewall will be configured to have port 80 open for communication with the web server. Also, devices in the internal network should not go directly on the Internet with live IPs, instead the web server in the DMZ should serve as a proxy server for the clients in the internal network with port 80 also open in the second firewall. The DMZ now will be caching web pages for the internal network as well as protecting the internal network, so even your contractors could have internet access in the DMZ. It is important to note that, in no case should any host be taken from the DMZ to the internal network without completely cleaning the host.
A little overkill to start with Zones if the TS doesn't even states his needs don't u think? .
When going for Zones, a Cisco ASA is probably the most easy way to go, and especially for a company, a Cisco ASA is not the most expensive way to get a firewall inside.
It's easy to create DMZ zones with one firewall, the only drawback of using one firewall is that you have to handle double the traffic on 1 interface.
Just for routing purpose, I would say.. just an easy windows configuration (or *nix) will do fine and is the most easy way to go (as replacement for a faulty router)... better way would be redundancy ofcourse.