Is private-to-private filtering a reasonable thing?

We have a client who needs to have someone relatively untrusted
to the office from home. This user will require the VPN because he'll

be running specialized software connecting to a workstation at the
office that, while physically on our private-side network, does not
logon to our Netware server.

The client is concerned that allowing such a user on via the VPN
effectively bypasses all the filtering that BorderManager puts in

Would something like Symantec's client firewall, which we could
centrally manage from the same System Center Console we use for their
software, a better approach?