RDP does not guarantee protection against viruses. for example, there are warnings when in the connection parameters, it is allowed to map local disk devices. but if you need file sharing - you will have to allow
it in another way - at least there is a threat of infection, with any method of file sharing (flash drive, network, including mapping via RDP),
some special protection is not required - if you have an antivirus, you have nothing to add upd except not to make mistakes

If you do not take into account that there may be some vulnerabilities in RDP itself, then a user can transmit a virus only by copying some file from his computer to the worker, if the disks are mapped. Theoretically, a virus running on the client's home machine can also copy files. But transferring the file is not enough - it must also be launched remotely. If the malware replaces the standard RDP client, then it will be able to do a lot of things within the user rights on the remote PC. I have not heard of such a variant of viruses, but theoretically - why not.
Normal protection - antivirus on a remote computer and only limited rights + blocking corporate firewall. Forcibly do not map disks and other flash drives. Under such conditions and in a local version, it is quite difficult for a virus to develop its activity.
At the expense of RDP settings on desktop Windows - yes, there are no buttons, but everything is the same in GPO and in local security policies (if AD is not deployed).
I would not let users on my local computers on the network remotely, tk. you get a number of really uncontrolled entry points to the network. The virus may not penetrate there, but the users themselves will be able to take away everything that lies badly.
On mind to allocate a terminal server in DMZ. From it, provide access to the LAN through an additional (not local) closed firewall with access only to the necessary network resources. Users must keep the necessary files in accessible network directories. In the terminal server, leave only secure secure protocols running, set up a full-fledged certificate with its own CA, be sure to enable authorization at the network level.

No.
But with remote access, the user can download infected files and run them himself.

IT departments do not have the ability to monitor the state of home computers in terms of information security.

Someone puts antiviruses, kaspersky there or doctors
But it's up to you

absolutely nothing. Unless generally to prohibit any transfer of files. But adequate methods to minimize the chances are:
- Access via intranet only, ie. first, it is necessary to connect via vpn
- For each user, the 2nd account with the rights to even launch .exe itd files. (but here again, the human factor, it is worthwhile to thoroughly explain to people what is possible and what is not)
- set the firefall to maximum isolation.
- Use virtual machines with the above mentioned point))
And so it seems that I also heard that there is a special kind of software that monitors suspicious network traffic in network segments, but here xs ... I just heard))

Depending on what viruses and how everything is configured in general, they can, but not always