Question : Problem: Remote user Laptop setup (join to domain or local, and vpn options?)

Here is the environment.
I have a CISCO asa 5505 with a VPN tunnel running and it can accept VNP client connections as well.  I also have a terminal server set up for remote access via direct RDP or VPN + RDP.  I have remote users that are using all kinds of options to get here and I seem to do it differently every time trying to get the best situation.  I really need some advice on how other companies handle remote workers (sales people with laptops) that work totally out of the office.
Im setting up a new laptop and Im weighing the options.  
Do I join it to the domain or leave it as a local machine only?  
Do I install the VPN client and all client side applications (ERP, Email) and have it start the vpn before boot?
Windows update to MSN or my SUS server?
AV updates to my server or the AVs server?
How much control over the remote machine is reasonable?
I know answers to my questions are likely it depends on the situation, but I want to know what others are doing in respect to these remote workers.

Answer : Problem: Remote user Laptop setup (join to domain or local, and vpn options?)

We have a number of laptop users.  Because of the type of company we are, we force the users to come through our network even when remote.  Their laptops are on the domain, but thats primarily because they also occasionally come in to the office and it just makes it easier.  We have their IE settings locked down so that they have to start up a VPN and connect to our network before being able to access the Internet.

Our IT folks have more leeway because we need to be able to quickly get to multiple things.  We connect to a VPN or also have an RDP server available much as you do.  Most of us have PCs that have been tied to the domain because it makes it easier when connected to authenticate to resources. However, my PC has never been on our network directly and isn't tied to AD.  I get on OK as well, but because I'm not tied to AD I have to do more "manual" authentication... but I'm a geek and don't mind the extra key strokes.  :)