What Common Practices to Protect a Remote Computer from Infecting a LAN via VPN?

I used a feature of the SonicWall last night that limited the VPN connection to only being able to access one computer on the LAN.  I logged in via the VPN, then remote desktoped to that one computer.  In this setup, would malware on the remote computer be able to infect the local computer and/or the LAN?  It seems to me this setup would minimize the risk but that there's still a chance that the malware could exploit a vulnerability in Remote Desktop and/or send malicious keyboard input to the local computer.  It looks to me like this solution would be as secure as using a direct RDP using SSL because you're only allowing the user to RDP to his own computer after creating a VPN connection.  However, this solution doesn't look like it's as secure as tracking enterprise-issued devices by MAC address.

The VPN can be limited to one PC which reduces the risk to other computers but still allows additional traffic, such as viruses, between host and client.

Is there such a thing as a remote dumb terminal flashed with an encrypted password?  Such a device wouldn't be able to have malware if its soul purpose was to RDP to a computer on a company's LAN and it didn't have the ability to do anything else.

What OS would it be running?  Who would have physical access to it?  And what good would be accomplished by having a machine you can log on to, then RDP to a computer on the corporate LAN?  Would you not want to work on any documents? Would you not want to browse anything?  

If you have a windows box connecting to another box inside the LAN, even if through VPN, you have potential vectors exposed.

Secure that box and you'll do better.  

And don't let non-corporate devices connect.  See my earlier response.

What OS would it be running?
I'm asking if you know of a device that already exists.  If such a device exist, I'd expect for it to have Linux.
---------------------------------
Who would have physical access to it?
An employee that needs to work remotely.
-----------------------------------------------
And what good would be accomplished by having a machine you can log on to, then RDP to a computer on the corporate LAN?
You wouldn't log into the machine.  The employee would just have to plug a monitor, keyboard and mouse into it, turn it on, select a Wifi Network and it would boot to his work computer's logon screen.
The good that would be accomplished is ...
1.) The device won't be capable of getting a virus because it's not a full blown computer, so it wouldn't be able to infect the work computer or company's LAN.
2.) You wouldn't have  to setup the device to have a user account, disable USB ports, install anti-virus, ensure the anti-virus is kept up to date, etc.  as you would with a laptop.  You would Just have to flash an encrypted password, the company's IP and the work computer's IP into the device.  It would be much simpler.
3.) The device would be cheaper than a full blown computer.
So generally speaking, this solution would be simpler, cheaper, and more secure than traditional solution of using a full blown computer/laptop.
-------------------------------------
Would you not want to work on any documents? Would you not want to browse anything?  
The employee would be remotely using his computer at work, so just like he can work on documents while he is sitting at his computer at work, he'd be able to work on documents while he's using his work computer remotely.
--------------------------------------
Alternatively, the device can be a dumb tablet, i.e. a touch screen monitor that only has the hardware and software necessary to make a secure connection to a computer at work.

I'm familiar with thin clients.  We have about 100 of them on our factory floor.  But do you know of any wireless thin clients that you can flash connection information into (company IP, work computer IP, and password), that will prompt the user to select an available Wifi connection (and Wifi password if necessary) upon booting it, and that will create a secure connection to a computer using the flashed connection information?  Additionally, do you know of any thin clients with the same specification that are built into a touchscreen monitor?

There are lots of wireless thin clients, and using startup scripts and local group policy they can be locked down and set to automatically connect to a remote system.
Sounds like you are going to a lot of expense just to continue using a VPN.

Thanks Rob.  Just one more question.  What's involved in using direct RDP using SSL and a session host?  I configured port forwarding in the sonicwall and used Remote Desktop to access my work computer from my home computer but don't know if I was using an SSL connection or not.  Would an SSL connection require our company to get an SSL certificate from a Certificate Authority, or is it just a matter of configuring the sonicwall to use SSL?

If you can tighten down the VPN to restrict those ports or specific traffic I agree it is more secure but brute force attacks on RDP tend to be when you are using port 3389, not 443, SSL, and a TS Gateway.  You also want to make sure you enforce complex passwords and account lockouts.

Thank you for all your comments.  FYI, Clear Cube has a solution similar to what I was asking for.  They use "Zero Clients" to make a hardware connection to a Remote Computer.  I'm currently learning more about it.

Sounds good, thanks Declan.
I'm sure you have checked into it but I thought the ClearCube VPN clients were only USB connections to the blade server or Multipoint.  They do have thin clients though.

Clear Cube's zero clients don't even have an operating system.  Vulnerabilities in an OS, a browser, a VPN client, RDP, etc. can't be exploited because none of that exists.  You're removed from having to deal with all that (and having to keep the thin client up to date - security updates, virus definition updates, etc.).  You need to add a second Ethernet card (a host card) to the computer at work and have a router capable of VPN (or buy a VPN device for $50-60 to connect between the router and zero client).  The general idea is to connect the video, keyboard and mouse with an Ethernet connection instead of USB and VGA or DMI.  It's strictly a hardware connection.

I agree with all comments but my understanding is Zero clients must either have a direct USB connection or use a serial over Ethernet connection.  The latter is extremely fussy about even wiring quality because unlike normal Ethernet there are no packet retransmissions so the connection can be very flaky.  As a result I believe you can only have a reliable connection on a LAN.

Regardless I will let you sort that out.
Cheers!
--Rob