Adding a secure, internal-only SharePoint Web application / Site collection in existing farm

Hi,

We are currently working on creating a new internal-only SharePoint site that will host sensitive information. We are planning the architecture to provide a secure environment to host this information in SharePoint. We will create the new web app on a separate database with encryption enabled TDE; we are also planning to encrypt the data through the SharePoint (Insert third-party vendor here) forms before it gets to the SP DB. And obviously, SharePoint permissions will be set accordingly.
Additionally, we would like to have the site accessible only through our internal network and keep it off the DMZ.
Our current SharePoint environment consists of two web-front end servers (load-balanced) externally exposed (DMZ), one application server and the SQL server both behind the DMZ (internal-only). Currently all of our SharePoint web apps are accessible externally through SSL.
What is the best way to accomodate this new internal-only web application within our existing farm providing the security measures explained before?
I am thinking  on adding an extra WFE server to the existing farm and put it behind the DMZ (internal-only) in a similar way as our application server is configured right now, but just serving exclusively this new internal site's content. I would then have the NEtwork guys to make the site accessible only to users logged-in internally in our network and through this new dedicated server only. My concern is that since all of our other web apps in the farm are exposed externally, and since the new server would be part of the same farm, that could be open doors for bad guys to access this information. Are there any other topology options I should consider? I have thought about creating a small (one-server only) new farm just for this purpose, but I am trying to avoid going that route.
Any thoughts?

Thank you,

Rob