Do I understand you to say that physical isolation doesn't buy you much? If I've got edge/dmz vm's running on the same esx host as lan vm's and one of the edge/dmz vm's is compromised through a ddos attack or similar, are you saying that this scenario does not present a significantly worse problem than if the edge/dmz vm's were on a completely different host, wired into a different switch/san etc. than the lan vm's?