[I apologize for being so picky but, could you stop the stream-of-thought style? You are no Cormac McCarthy).
Randomly answering some of your questions:
1. When a machine is in the DMZ, it has a LAN address that is mapped to an external IP through a point-to-point circuit (See lartc.org
for all the dirty details). Your realhost (I call realhost, the OS running on top of the naked hardware) where the Dom0 resides doesn't need to use that IP.
2. Thus you can assign the DMZ address to the virtual machine that works as router for the other VMs in the realhost.
3. Each virtual machine is a host in its own right with its own IP address. So, I ask: Why do you believe you can only use port 22 to a single host? See the next answer.
4. Was that ssh_config snippet unclear? It uses netcat and some OpenSSH internal variable substitution to redirect the connection to a given host. Whatever port you use depend on how you configure each OpenSSH server.
5. To give secured access you can ask each person for a copy of the public part of an ssh keypair and install in the authorized_keys file in the account you are giving access. You have to place the key in the proxy host and in the target virtual machines. Now, you can create an account for each person or have them share a login account; I'm not so trusting myself. You have to disable password logins in the server, of course.
But this doesn't scale. The alternatives would be to use either Kerberos and OTP passwords (ugly complicated stuff, works great after you set it up, don't do it if you are pressed with time), or use x509 certificates with a central PKI. I have no experience with the latter and it is not too well documented, but I'd go with this solution nonetheless.
6. Read the OpenSSH documentation. The manual pages are very comprehensive!