I'm pretty certain PGP won't be compatible. S/MIME is a standard, afaik.
MEG7's on-box encryption capabilities are such taht you can configure it to attempt server to server encryption when available, and then fall back to secure web delivery, wherein an on-box web server on the MEG has an http server that the recipient of the email would be told to connect back to "e.g. click here - you got a secure message from teh acme corporation." The user sets up their username and password the first time they get an email from your company this way, and all future encrypted mails from that MEG server will re-use that account they created. There's a distinction between push and pull secure mail deliveries here... one in which the message stays on your email server and they can only see it when logged into that secure mail web page, another where the message somehow gets pushed in an encrypted form to the box. HOw it decrypts, I dunno.
No, a MEG is not needed at both sites.
I have no idea on the licensing, but I'll say there way no separate line item on what we purchased and our MEG 7 can do this encryption I've crudely described above.
NOte: if you are in a clustered config, you can't do secure web delivery until you install patch 1 of MEG 7. See another thread for how well that's goin for me. :-)