What is the purpose of a demilitarized zone (DMZ) on a network?

A DMZ serves as a buffer between the untrusted network (like the internet) and the trusted internal network by hosting publicly accessible servers in a separate, controlled zone. The key idea is to allow external users to reach the DMZ-hosted services directly while keeping the internal network protected behind a firewall. If a DMZ host is compromised, the attack surface is limited to the DMZ and does not automatically give access to internal systems, thanks to strict firewall rules and network segmentation between the DMZ and the internal network. This is why the description focuses on providing direct access to the DMZ nodes while shielding the network behind it—the DMZ exposes only the necessary public services and keeps the rest of the internal environment safeguarded. The other options imply complete isolation of the internal network, routing all traffic through the DMZ, or giving direct access to internal nodes, which would undermine the protective purpose of a DMZ.