I believe to enable communication between interfaces with the same security level you need to issue the "same-security-traffic permit inter-interface" command to enable it. If you chage the security level you will need ACL's to allow traffic to go up a security level.
Correct. However, without a default route, anything not on the local network will be unreachable. He needs NAT to make the inside machines appear within the edge network. And I will second the "DMZ it" option -- as he has ZERO control over the box, who knows what it might decide to do one day.
