Leave the computer permanently logged in as a restricted user (maybe kiosk mode), but allow the staff to run a RDP or similar session from it.
You can get the remote session to disconnect automatically when not in use, or to run from within the browser, and even access to local computer resources, like scanners.
CMax