Not an easy one really.
Where i work their are multiple domains with different security requirement levels.
One for example has fully encrypted machines with a request for username and 2 passwords to get the machine into a usable state remotely, and then the wireless is disabled in the bios using the passworded bios to stop it being turned back on, to ensure no interception at all.
At the other end of the spectrum was an old domain where users had been let loose and had a simple VPN connection to get back into the network. Obviously this worked on all but the worst net connections in the world and users had local admin rights as well... always great for fault finding...
The most common is a middle level approach where the machine is encrypted and all connections are managed thru one software set and the only way to power the machine on is to have a seperate device plugged into it, which also requires its own access code ( kind of like an RSA token, but better) and this then allows fully encrypted (2048 bit) tunnel to be formed back into our network. Dead easy stuff.
Users are also told not to leave any important stuff on their machine. As its encrypted if the HDD gets a tiny it iffy the whole lot is nigh on impossible to get back. They are meant to have a laptop to log back into the office for a reason so nothing should be stored on their machines that is considered secure.
And after all that the sole support is for the solutions is often quite busy and not likely to be without work for a long time :D