This is to protect a rather large remote-access VPN rollout. Have a few thousand people that need broadband access to corporate network.
...
The big problem? How do I protect our internal network from trojans and other hacker tools that could be loaded on these remote machines that I have no control over?
Short answer: pay the money (probably $250/hour) to have someone competent come out, look at your business, evaluate the risks you're facing, and recommend appropriate security policies and countermeasures.
Longer answer: you can't stop your users from surfing the internet and running an trojan executable labelled "Britney Speers HOT XXX clip." Making sure your users are running something like Norton AV + Zone Alarm (do the right thing and buy a license if you're using it for business) increases the odds of catching the file before it can do any harm (Norton should alert; if not, Zone Alarm will request permission before allowing the trojan access to the internet), but *someone* is going to be a dope and do something stupid.
You've got to figure out how to limit the damage that can happen when a client machine does get compromised, and the answer is going to be specific to you -- no-one here can really help. There are decent books on designing security policies that you can buy, but nothing that can answer the questions you've got *now* with any authority.
And BTW, what you're looking for is a good security policy -- trying to come up with countermeasures before you've defined the risks you're facing and the possible/probable losses resulting from a security compromise is foolishness.
Possible answers include: locking down client machines as much as possible; installing firewalls/routers that allow no internet access -- only VPN tunnels to work are allowed; basing access to corporate resources on something other than a password (smart card might work); allowing users to access the system via Metaframe only with appropriate security policies enabled on the server, etc.
There's nothing anyone here can really tell you without knowing more about your situation. Hire a competent consultant.
No offense intended to the poster or other thread participants. It sounds like you're talking about a (possibly expensive) business decision, but you're approaching it from more of a hobbiest's perspective.
As always, IMHO.