well, i'll take a stab at it
Let me preface this by saying that I've never worked with a SonicWall device, so these ideas are offered with no guaruntees.
It looks like if you go into the 'access' section of the web management interface and then click on the 'rules' tab you'll be able to add a new rule preventing access from the netA and netB to the remote user. Since they use stateful inspection (according to the webpage) it should be able to allow the home user to initiate a connection to machines on the nets A and B, but not allow machines on those nets to initiate connections to the home user.
The only thing that I'm not sure about here is the whole "windows advertising to its neighbors" thing. If that still gets though you could try blocking ports 135, 137, and 139 (i think those are the only ones that windows uses for network neighborhood etc.) from the home user to the internal nets, however this might have the unintended side effect of limiting what the home user can do (i.e. he won't be able to brows shared drives etc.) a workaround might be, since i'm assuming he also has administrative control of the FWs, to place the above mentioned blocking rule in the ruleset, but have him disable the rule only when necessary. This does still leave his system visible, but only for a short period of time, and for that matter if he's using win2k, he should be able to lock down what other people can see on his machine anyway (restrict anonymous ipc connections etc.)
Hope that helps.