Ok..... I've looked all over this morning and can't find anything definitive so I'm asking for people's experience.

Assuming a properly and regularly patched Exchange 2000 server, properly protected behind a firewall, (ports 25 and 80 allowed, all others blocked), Intrusion Detection Systems in place, centralized logging of System Events on a separate server that are parsed and scrutinized daily and a policy of three authentication attempts and you're locked out for 3 days.........

The question(s), do you consider remote access from client machines to internal email any more of a risk than a regular web site?

Is it worth moving it to a less well "travelled" port to avoid detection by worms etc.?

Any other insights would be helpful. We just converted to Exchange 2000, (finally), and I am considering making people's email public. Yes I could run it through a VPN but I don't really want the grief of dealing with all my non-tech users trying to set up their own PPTP connections.......