Sorry, I think I misunderstood this point in your last reply.
Yes, the Windows VM will join the domain. But you still have the MAC OS running next to it, that the user can switch to. Now you have to address anything you've done with regards to network security (IPSEC, intrusion detection, AV,etc.) all over again.
Not necessarily. There are multiplatform packages, some open-source, that address this. So all your machines, Mac, Windows, Linux can all run the same AV, antiintrusion and VPN protocols.
Not so huge an issue any more. Well, unless you want to go with bloatware from, say, McAfee or Symantec.