-first (counting from user via corporate access zone to company intranet) firewall protects the access servers from attacks and limits acceptable traffic for example certain ports (DNS, DHCP etc.)
-first firewall may be removed or combined with security gw in less security demanding offices
-second firewall control the access to intranet or acts as termination point for IPSEC/VPN tunnel
-there may even be visitor zones without encryption for company visitors to be able to connect to Internet and via Internet to their own intranet