I have a more doable sketch of this, running in a guest account on a raspberry pi over xvnc. Laptop is firewalled from net, raspberry pi is booted from read only media. Would need hardware ethernet firewall between laptop and raspberry pi to only allow VNC traffic.