Under 7.0 (this is speculation) I have not tired 7.0 but you may be able to use the new context features. If i understand the following passage correctly you could in theory separate the lan into vlan sand point those vlan segments to different virtual firewalls.
Q. What does Security Context in PIX mean?
A. You can partition a single hardware PIX into multiple virtual devices, known as Security Contexts. Each context becomes an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode and include routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
formatting link
Under 6.3(5) , It would be most difficult (if not impossible) without another router in between the pix and then INET connections. As for splitting the internal lan, the pix does not have a way of diffrentiating between who goes where.
The official answer.
Q. Can I connect two different ISPs to my Cisco Secure PIX Firewall (for load-balancing)?
A. No, you cannot load-balance on the PIX. The Cisco Secure PIX Firewall is designed to handle only one default route. When you connect two ISPs to a single PIX, it means that the Firewall needs to make routing decisions at a much more intelligent level. Instead, use a gateway router outside the PIX so that the PIX continues to send all of its traffic to one router. That router can then route/load-balance between the two ISPs. An alternative is to have two routers outside the PIX using Hot Standby Router Protocol (HSRP) and set the default gateway of the PIX to be the virtual HSRP address. Alternatively, (if possible) you can use Open Shortest Path First (OSPF) which supports load balancing among a maximum of three peers on a single interface.
formatting link