Your receive location must be resident in IIS/WAS on a BizTalk server. The receive location code is responsible for receiving the message from the wire, running the pipeline, any maps and writing to the MessageBox database. If this code executes in the DMZ you will need to open firewall ports to expose the BizTalk SQL databases to the DMZ. This is less secure than opening ports 80, 443 to allow HTTP access to a web service inside your network.
The standard practice for offering public web services from BizTalk is to use a reverse proxy such as ISA server or create your own web service in the DMZ that calls the BizTalk web service internally. My preferred option is the reverse proxy approach. The ISA server or other vendors product is specifically built as a security device. You do not have to write code and be concerned about potential security issues in this code. The reverse proxy is less maintenance and probably more secure.
Latest ISA server is now called Forefront Threat Management Gateway 2010