Come on, what's there to tune for a long time. If the user does not have administrator rights, and even has an antivirus, nothing more needs to be done.

Em. the first thing you need under Windows is the rights of ordinary users for everyone.
the second thing you need is Local or group policies and the prohibition of launching p / o from anywhere except c: \ windows, Program Files + (x86 option)
Well, ms essentials for anti-virus protection.
Actually, then only regular installation of updates to the installed software (1s, office, java / flash, adobe reader) is required
. That's all.

and you did not think to make the second option with the server part on linux?

As an alternative, you can virtualize a Web browser application (Microsoft App-V, VMware ThinApp or others) by adding additional required components to the package - flash, java, etc.
But the proxy server and antivirus should be in any case.

The goal is just to give the user an Internet? Maybe it's easier to release it to the Internet directly from a thin client / RDP client? Even older thin clients have a browser.

I would not recommend running the browser(s) on a working terminal server where working software is running. Because the user has the ability to open an unlimited number of tabs with an unlimited number of buggy flash banners.
And since in Windows (up to 2008 R2 inclusive) there are NO tools to limit the user in terms of memory / processor,
this can cause brakes on the entire server.
I would look towards a second terminal server on Linux (LTSP) with RDP access to it.

at the enterprise completely refused RemoteApp (win 2008 R2 server). Extremely unstable thing. You sneeze a little - “protocol error”, and restart everything again ...