That DMZ is fine already, assuming they can't start hacking your routers.
What you ideally want is network segmentation, use VLANS and put devices in their isolated network, only allowed to talk to the router/firewall, which only allows incomming traffic and doesn't allow the web server to initiate connections to the internet, except for NTP, software updates and DNS (fixed ips).
What you ideally want is network segmentation, use VLANS and put devices in their isolated network, only allowed to talk to the router/firewall, which only allows incomming traffic and doesn't allow the web server to initiate connections to the internet, except for NTP, software updates and DNS (fixed ips).