Just tried this on our BES (V3.6) and it does seem to work. You'll still have to have exchange mailboxes for them though.
Add them in as normal users and then right click on the name. Disable redirection and Enable MDS.
You should be able to put additional protections on the mailboxes through exchange. I've only tested this briefly so I can't stand over it, only say that it's possible.
As for making MDS available, bear in mind that if your BES is not in a DMZ configuration (which, as it's not supported, I'm assuming it isn't!
) then in theory, they can use the browser service to get to any web enabled server on your LAN.
They'd need the IP or address of the server and presumably an appropriate login, but it can be done. This was one of our main reasons for switching MDS off while we examined the security features in more detail.
To be honest, I'd be extremely wary of doing this unless you have no other option.
Hope this is of some help.