However, I can see already that this will cause a problem with third party updates.
Not as much, any more, I've learned. Recent enhancements in the Windows Update Agent (or WSUS, I'm still not sure when/where it appeared), now allow for a WSUS server without a local (Microsoft) content store to successfully host third-party content.
I'm not really sure how an additional WSUS Server (with or without content) helps with "rarely connected but pretty much here all the time" scenarios, since rarely connected means they won't even know about updates, and "pretty much here all the time" means they'll have only minimal opportunties to download content from external connections, but given that the volume of binaries needed to support third-party updates is fairly minimal, it's likely long enough to facilitate downloading of the third-party content (and then those notebooks can obtain their Microsoft content elsewhere/elsehow) -- all it requires is fixing the "rarely connected" part of the problem.
I will also say, I've encountered similar sorts of situations via the Microsoft TechNet WSUS forum regarding machines that are frequently not connected to the corporate network (although in most of those cases, it was because the machines were physically not present at all). Generally my response to those admins has been that the needs of the organization require that somehow those machines GET connected to the network on a regular, recurring basis, and additionally, that this isn't actually a technology problem, but a business problem. I'm quite intrigued with the "rarely connected but here pretty much all the time" scenario", as relates to how the users of those notebooks get any actual work done without a network connection, but I'd still offer pretty much the same suggestion: The nature of maintaining the equipment in an operational (and safe and secure) state *requires* that those systems ARE connected to the network for a couple of hours once a month, and making that happen should be a business requirement, not necessarily just a technology problem.
I discussed this with the powers that be, and we've decided to do as you suggested and turn this into a procedure thing rather than a tech problem. Unlike what I suspected, the WSUS box in the DMZ wasn't immediately dismissed, but given that only one of the laptops is a part-time remote user, we decided that it wasn't worth the hassle to gain that small bit of convenience right now.