Where I work now they have a VNC server shortcut on the desktop of everyone's machine. When you call support they have you start the server and give them the IP address, then you turn off the server when they're done doing whatever config they need to change. I'm sure they are spying in other ways, but this seems like a good way to implement your method #1.

It works extremely well. It's not called VNC on the shortcut, it's just called "Enable Online Assistance", but it's just VNC.

Jim

Edit: I just ran it and it's TightVNC, and it's branded with our company logo. We get around the port/firewall issues by having the machines hooked up to the VPN. If the VPN is the issue (user can't connect to VPN), then you can run into blocked port issues.