We are doing this in several of our world regions and here at headquarters. You can assign additional ports for IIS to listen on, which is what we did (from the start, actually). We made the new port the default and added 80 as a backup for non-DMZ machines, then added firewall rules to allow the inbound traffic from the DMZ hosts to the NS only, via the specified port (< 1024). The Agent policies are configured to "specify an alternative URL" (err something like that) for the NS, with the port appended to the url (
http://servername.company.com:port/Altiris I believe). Actually all the agents are using the custom port (for both DMZ and regular network) so we could apply QoS de-prioritization of the traffic on that port #. We left port 80 in play so that support staff wouldn't have to remember to add the port to the URL when accessing the console.