No, you can not specify multiple security modes; it's either "user" (local user database) or "ads" (AD authentication).
"security = ads" means you don't store hashed passwords on the Samba server at all, as all authentication is done via Kerberos against an AD domain controller. The only account an intruder would immediately be able to access, is the AD computer account for the Samba server itself.
Whether it's "safe" or not to store hashed data on a server in a DMZ would depend on a number of factors, such as:
- the quality of the hash algorithm
- whether the hashes are salted
- how well the hashed passwords can withstand a dictionary attack
- what (if anything) such a hash can be used for (some broken and deprecated MS authentication algorithms make it possible to authenticate using only the hash)
- and of course, how difficult it is to compromise the server and how long it would take you to notice that a break-in had taken place