at the disposal of the employee

Sign with an NDA employee or whatever the document is called, essentially about non-disclosure. and you will be happy, but suspect a leak to the court and that's it

Technically, no way.
The only competent way is to select people who value their reputation and have a high level of professional ethics. The only thing is that many of these people will not go to your sharaga if it does not have an equally impeccable reputation. Take care of honor from a young age, as they say.

No.
Although you did not specify - from copying or from leakage? A leak is organized by a banal rewriting on a piece of paper :) It can theoretically be prevented only by using the SMP with the monitoring function through the laptop's webcam, and even then it will be useless in the absence of the Internet.
Copying - that is, creating a copy of a file on some medium while maintaining its structure, so that it is more convenient to work with it - is also possible. Even with all the bells and whistles imaginable. No administrative rights? So we take hiren, boot from a CD, knock down the local admin password, elevate privileges - without using vulnerabilities! Having received the rights, we can disable any guards, register any device as trusted. We can generally make a blunt copy of the screw by means intended for this - for example, Acronis. And already with a copy of the screw to understand as much as necessary.
Yes, after the fact, the SMP can notify about copying - when the laptop goes online, if the buffer does not overflow. But he won't be able to prevent the fact of a leak, especially if it's not a database, but some kind of photo :)
Fullaccess is full access. That is why all sorts of "cloud" providers are dangerous - and they know this very well and therefore they are trying to get your data ...

The information displayed on the screen can be tritely retyped, photographed, recorded on video.

To get an answer to this question, you will have to tell a lot more:
1. What exactly are you protecting
2. The model of the intruder
...because it will not work to protect everything from anyone. Even if you don't need offline, you can open it with a sniffer. Do you encrypt? OK, there is an admin. Admin deaf-blind-mute and believes in God? OK, there is a cleaner who will leave the camera in the admin room. No cleaner? OK, there are special services that will introduce a micromicrocamera...
There will always be a certain limit that is unprofitable to overcome. Which separates your violator model from infinity. And this limit depends on item 1 - what you protect.
So what do you want to protect and from whom ?

Why recruit people who want to leak information and dump? No technical means will save such an employee when he gets access to information.
But if the employee is loyal, and you are protecting yourself from unintentional leakage or theft of information by third parties, then something can be done:
1. Sign a non-disclosure document.
2. Install and configure: anti-UAS protection system, DLP, firewall, antivirus.
3. Centrally collect and monitor logs.
4.Total encryption of all disks, incl. boot.
5.Sealing the case and the disk compartment.
6. Strengthened authorization: tokens, smart cards, etc.
7. A worthy salary to an employee for torment in the course of performing his official duties.
8.Prohibition of access to the Internet.

Provide terminal access to your resources with appropriate security rules. Although in this case, the employee can simply take a picture of the screen with the information of interest

I support a variant with Windows Remote Desktop.
But there are solutions for a separate Laptop:
- It is possible and even necessary to encrypt the Laptop - VeraCrypt to help, and you can also set up a USB hardware key (such as ruToken with a PIN code) so that a person does not know and does not use the password - but insert the key and enter the PIN for for the laptop to boot. For he will write down a complex password on a piece of paper.
- device control: paid software - StaffCounter: will block the connection of other devices, Bluetooth, DVD, will prohibit downloading software from the Internet (including its Uninstallation), sending files to the network, including LAN / FTP, and in general will monitor actions user, screenshots and all that.
- About the Network the decision does not come to mind yet.

Install round-the-clock video surveillance of his workplace and assign a security guard-observer.
Why give him a computer at his disposal? You can have him work remotely with resources that are physically in another city and restrict his copying rights.

I also vote for access via RDP, if you provide him with a laptop, then it’s better to provide a weak laptop and no mobile Internet and RDP to a workstation than to fool around with a task that is not realizable in principle. I myself thus implemented access for several employees. (True, I myself have full access and no one signed any NDA with me, but I am a decent person and I wish you the same employee)