Yes, destination NAT inside of your policy is how you do this.
You can have the destination device in any zone you want. Naturally the best practice is to isolate any hosts you expose to the internet in a DMZ secured internal zone. But this is not a technical requirement to use the feature and the zones can have any name.
Create your inbound allow pollicy from Untrust zone to your internal zone
Destination address is the public address you want to translate. make this object in the same zone as your server internal address.
Permit the desired ports in this policy
On the advanced tab of the policy check the box for destination translation and enter the internal address.