Why do you want to use global CAs for internal services? Wouldn't it be better to use your own CA? I find out that identifying site by it's certfingerprint is much stronger authentication than the fact that it got valid cert. Actually it would be a good idea not to trust any other than company's internal CA for internal services. But as far as I know, bowsers aren't up to this challenge. Maybe AD allows this, but I haven't ever seen any post how to do it.

It'd be more interesting to see if a CA would issue a cert for something.local — sadly, you're probably right to fear the worst…

They will -- but I believe that's to be phased out by 2015 or so.

You can solve this by setting up your own Certificate Authority.