Hi Philipp, thank you for your suggestions.
2. NIDS. Run a NIDS on all firewalls including one dedicated NIDS box in your DMZ -> could be instead of your win2k Domaincontroller. I don't know what a NIDS is. I guess Network Intrusion Detection System? Well I have not very much knowledge in that sector, but I will read as much as I can get on NIDS and install one. Thank you for that.
3. Domain controller in a dmz: U don't need that. We're talking about network layers not about application layers. I think I got that wrong. I thought that every computer in one network has to be registered in a domain controller, so I setup one for the DMZ (because this should be a seperate network) and one for the internal network. I changed that, and uploaded a new draft.
4. Windows attached to the internet? If not a must for some reason, don't do it. Windows is expensive in any way. The problem is that our administrator doesn't know much about Linux, and we have to use Windows as a Webserver because the pupils use Frontpage and ASP for their projects (I know that's lame, but I can't change that, sorry.)
5. Proxy: You'll be fine running it on Firewall2. ok.
6. diversification: Firewall1 OS <> Firewall2 OS. What OS would you suggest if not both Linux?
Have a nice day, Christoph