A so-called "De-Militarized Zone" is a special network segment that has limited privileges. Machines on the DMZ are allowed to reply to requests, but are not allowed to initiate connections to other systems outside the DMZ. (Contrast this with a LAN behind a firewall - machines on the LAN are allowed to initiate connections to each other and the Internet, but machines on the Internet cannot initiate a connection to machines on the LAN.)
This is extremely important. Remember, once a box is cracked it's working for the bad guys, not you. You don't want a machine like that on your LAN, behind the firewall. Put it somewhere that it can't do further damage. Moreover, you don't want DMZ machines connecting out to the Internet, possibly sending spam or performing a DDOS, or even being used as a base to crack other machines.