We need to take eight ports out of a 3750 switchstack (four ports on two of the members, remaining ports on these members assigned to network devices; three other stack members have ports assigned to servers, printers, desktops, etc) and assign them to network teams for (soon-to-be) DMZ-based servers. We've looked at doing L2 VLANs, but we'd prefer to keep L3. Other than assigning ACLs, is there a way to dedicate those ports to a DMZ VLAN? Are PVLANs the only other option?
You'll need to implement 'Private Vlans' to accomplish this. Here are some good links that explain how Private Vlans work and what's needed to configure them:
Securing Networks with Private VLANs and VLAN Access Control Lists
System Requirements to Implement Private VLANs