The risk for such a venture is proportionate to the amount of trust you place in VMware ESX's networking stack. If you place the Internet and Intranet hosts on a separate Virtual Switch (or port group) and turn off promiscuous mode, IP spoofing, and MAC spoofing, then you will have architected the most secure networking design possible with ESX. However, if you are wary of the goings-on of how VMware has implemented all of this under the covers, then an alternative design would be to segregate ESX servers not just by access to shared storage (the typical segregation decision), but also by role (Internet, Intranet). If you would like to know more please feel free to email me. Hope this helps!
This was first published in November 2007