We would like users to be able remotely access their desktop PC from their personal laptops over a VPN connection, but we need them to have no access other than viewing the screen and remote controlling it. No file transfer or drive redirection, no printer redirection and no other way to transmit malware over the network if their personal laptop is infected.
Since these would be personal laptops we do not manage and are not joined to our domain, they would not recognize any group policies we apply. The restrictions would need to be enforced from their desktop PC, not their personal laptop. They connect directly to their desktop PC over VPN and then RDP. There is no terminal server used.
Also is there any way to prevent copy and paste, drive redirection and printer redirection over RDP from a domain computer to non-domain computers, but allow it between two domain-joined computers?