I'm looking for some suggestions on how to handle a certain security problem.

Let's say that I have a SSL website, that will allow a user to first authenticate with two-factor authentication before proceeding to use an ActiveX control to securely connect to Terminal Services from across the web.

The problem is, I have no way of verifying that a user's computer has any antivirus or antispyware software on it, nor a way to verify that they do not have a keylogger or anything else on there.

Can any of you guys think of a good way to enforce a policy, such as to require up-to-date antivirus, or perhaps just a mechanism to do a simple trojan scan before allowing them to proceed to the point where they can authenticate and connect?

I've seen agents out there, but I hate to get in the business of installing and managing software on someone's home computer.

Thanks,
Mike