You have to run 7.2(3) Code for the "fixup" so the remote site with the 506E isn't going to work. You can make it work by basically disabling all firewall capabilities in the 6.3(x) releases, but not recommended.
Are you running IOS FW on the DMVPN routers?I've seen this type of issue with Pix FW's and the only thing that would "fix" it was to set the MTU on the WAE interface to 1200.HTH
Without seeing the rest of the config its hard to tell you exactly what is happening (IE acls, sysopt connection permit-ipsec etc)You will however need to have a nonat for the DMZ traffic to go back across the VPN:access-list nonat-dmz permit ip 10.4...