If you can limit a client to just one IP and just tcp 3389 in your firewall that should be enough.
Disable shared drives or the user is able to infect the work pc with files from his home pc.
Typically when we connect with VPN to enterprise networks to do work on certain servers or what not, we get a static ip and then they have firewall rules to determine what IPs / ports we can reach. So yes, the computer we use is on their LAN but only through a very small and restricted opening that just allows RDP to just the one server we need to access. Everything else is blocked.