I don't do ISA, but here is what I would do if I were you:
REMOTE OFFICE (192.168.128.0/24) VPN Appliance - bridges 192.168.128.0/24 to 192.168.7.0/24 Remote offices Internet
PUBLIC INTERNET
Main offices Internet Firewall supporting IPSec Tunnels VPN - bridges remote office to LAN LAN 192.168.8.0/24 LAN (your machines + server) LAN (Terminal Server box)
DMZ (what you need here)
In the users login profiles just enable or disable TS for them - this lets you restrict who can use TS in either location.
Since I don't do ISA, I can't really provide an ISA type solution, but the idea may be of help.
If you put the TS in the DMZ and it has any means to authenticate with the LAN servers, then you've broken the reason to have a DMZ.