Remote access

Building VDI at school! What is the most convenient way?

Launched a terminal server on Windows Server 2012 in beta mode. At first everything went well, but then the falls began with a regularity of once a week. Often the personal files of teachers were leaked, once the address of one teacher was burned. There were also attempts to launch viruses on the server.
We moved to Windows Server 2019 (we tried to launch the electronic manual there for 2 weeks, until I demolished Microsoft Flash Player and installed the normal Adobe Flash Player) and the problems did not go away. While everyone is studying full-time and the server is mostly idle, but there are connections, which means security problems.
Server Purpose:Running programs that use legacy technologies such as: Adobe Flash Player, Adobe Shockwave Player+Macromedia Authorware Web Player, Microsoft Silverlight. Launching computer programs and computer versions of sites, for those who have a smartphone or just Windows XP.
Server tasks: Provide students with access to Windows programs and an HTML5 browser using an RDP client or using a browser. Provide teachers with full access to the personal profile terminal session with the ability to store personal files in network folders and prepare practical work for students. Provide the opportunity for the school principal to intervene in the educational process at any time.
Work criteria:Security and clear separation of access rights. The student can only run certain programs and have access to files authorized by the teacher or other trusted person. The student can NOT read system files and personal server administration files. The teacher, although he has a full-fledged session and can run any programs (there are also nuances here), BUT does NOT have administrator rights.

How to implement everything yourself? What guides and instructions to use? What software is required? How much will it all cost?