Policies are fine. This sounds more like a routing issue. In order for trust to untrust traffic to use the MIP, the egress interface has to be the one that the MIP is configured on. In this case, it looks as though the egress interface is eth0/1, but the MIP is on eth1/0. You have a few options for this.
1. Configure a source route for 192.168.7.144 that points to eth1/0
2. Configure the MIP on a loopback interface and bind all of your untrust interfaces to that loopback group.
The second option is probably the easiest.