I know this is old now, but honestly you're overthinking this.
First, as others have mentioned here you can use TeamViewer to do remote desktop support, and it's free. No need to upgrade to Windows 7 Ultimate or anything else for that matter. I've used it on OSX, Windows and Linux and it works like a champ. I've supported family and friends... and even had a commercial license for TeamViewer for a while because it really is so easy to use and maintain that I found it invaluable. I don't do that job any more, but I still maintain TeamViewer on my computers in my house so I can get into them and manage/maintain them while I'm on a business trip. Same on my son's laptop so if he has a problem I can support him remotely.
Now of course comes to your son. Don't. Seriously... kids are going to be kids, and they're going to work around any controls you put on a computer. The only thing you are LEGALLY required to do is to control what he has access to at YOUR home. Once he's off your network, anything he does is the responsibility of the party that owns the network he's using. Yes, he should be held responsible by you as a parent, but legally there's nothing forcing you to do this. Plus, kids are going to find workarounds regardless; my son is 15 so you can imagine the battles I've had with him over the years. As it stands now, I manage his Internet access at home using a Sonicwall TZ-215 firewall that has Gateway Anti-Virus and some content controls turned on. Honestly, I don't block porn... he's 15... but I do block some categories I personally find distasteful; hate speech and the like. If he needs something for a particular essay he's doing for school that's blocked, he can ask me to unblock it and he does. This way there's mutual trust going on, which to be honest is the RIGHT way to parent.
I also don't check the logs to see where he's going on the web. Just so long as he's not doing anything illegal (and yes, I do block bittorrent for that reason) that could get me in legal hot water I don't particularly concern myself with it. I check his laptop for malware and to make sure updates are in place periodically, but beyond that I don't see the need to get overly stressed about it. Besides, we have an understanding that if he does anything bad that gets his computer malware that's going to be too much trouble to clean up (like more than 30 minutes of work on my part) then his machine gets re-imaged and he gets to reinstall everything, restore his own files etc. I make him responsible for his backups as well.
Is my system perfect? No, but it works. And right now I have a 15 year old boy who may or may not go on porn sites occasionally (I really don't care), plays games occasionally... but generally is a well-behaved kid when it comes to technology.
I guess what I don't get about your requirements; if your primary reason for the site B connection is supporting your parents, then why backhaul all the Internet traffic across your own network? With a decent managed firewall you can do all the controls you like, and there are web-managed options as well. Some of them even support OpenVPN natively or some IPSec variant that you can create a virtual private network for managing stuff. If you really want content controls on your parents network then you really need to review what you're trying to accomplish here. You don't have to get something as fancy as a Sonicwall, there are plenty of other cheaper options but that is certainly one.
I do have a VPN as well as my TeamViewer connections... honestly SSH is easier to manage my Linux boxes than TeamViewer most of the time because I don't need a GUI. As a result, all my Linux boxes partake in an OpenVPN network against a hub system hosted on Linode (where my web server is also hosted). I have the OpenVPN client on my laptops so when I'm out and about I can join the network and SSH to any of the systems no matter where I am (I keep a HOSTS file with all the IP's). Bonus; I can host my own mail server on my home box without using the storage on the Linode because I have it stood up as a VM on my home server... the Linode has a pretty basic Postfix configuration that relays to the private interface via OpenVPN, and the mail server is configured to send mail out via this same relay method. If my mail server goes down then said mail just spools on the Linode until it comes back up. Since I only have a handful of users (family and friends) it's not a big deal. For the record, I use Zimbra as my mail server for simplicity's sake :)
And yes, the Sonicwall also partakes in the OpenVPN... so if I connect to my VPN from an hotel in another city, I can then browse to my Sonicwall's web interface and manage it. For me it's better than "cloud managed" :)