Hi Paul,
The Backup Exec media server connects to the Remote Agent on the remote machine, not the other way around.
If I understand your environment correctly, this should mean that your server in you secure LAN connects OUT the firewall to your DMZ zoned web server.
That shouldn't actually involve punching holes in anything- your firewall allows outbound connections right?
In the event that your web server has an additional firewall on it, sure, you need to open the remote agent port, and then, only from your one address.
Really, backing up that server to your tape shouldn't be a major security issue. If your Media Server was outside your LAN and on your DMZ, I would understand the concern, but then, I'd question why you did that in the first place.
If you don't have the normal Active Directory communication ports open, you may have various issues browsing the shares on the server etc, but I'm sure with a little tweaking it can be overcome.