I would never put any type of exchange server into a fully accessible DMZ. Using NAT is the only good solution. Since you said you are moving to 2003 you will probably want to read up on RPC over HTTP functionality that you get with 2003.

MS recommendations on securing your front-end/back-end configuration-
http://support.microsoft.com/default...b;en-us;829027

One of the better examples of how to use rpc over http is here- http://support.microsoft.com/default...b;en-us;840255

How to configure it-
http://support.microsoft.com/default...b;en-us;841652



Also, as for good IDS filters that are written for OWA the only ones that I'm aware of are the ones that come with ISA server.