Lock it down as much as possible. The whole point of having a DMZ is that if the servers on it are compromised, your inside network is stil safe. If all access to this server is initiated from the inside, then you don't need any access-list, cause the PIX will automatically allow the return traffic back (this doesn't include ICMP actually, so you do need to allow that in if you want to be able to ping this server from the inside). Your ACL only needs to allow the traffic types that this server initiates to the inside network, if there isn't anything like that then don't specify an access-list at all.