Running a dedicated enviroment in the DMZ is not a desirable option. I would build the following topology:
- Web Application (Intranet)
- https://intranet.company.com
- Web Application (Extranet)
- https://extranet.company.com
- Web Application (Search)
Use a reverse proxy like TMG to publish the url's to the internet. In general i would recommend to publish also the intranet and use only on url that is working inside of the company and outside of the comany. http://msdn.microsoft.com/en-us/library/gg430121(v=office.12).aspx
The search application will be valid for all users (claims ad and claims forms). The indexed content from the fileshares will not showup for the claims froms users because they are not treated abainst ad acl so there is no chance the users will see results from the share.
If more seperation is need you could split up search and create different search scopes to isolate content and configure the correponding search center to only use the needed scope. http://technet.microsoft.com/en-us/library/ee792872.aspx
If you don't want a dedicated search web application you can host the search center on the corresponding web app, but the user may be confused by the fact 2 search centers will exist. I would recommend using one primary search center for all.