VPN is the way to go then. As the w2k server will be exposed to the internet anyway, also use it as a VPN Server. It can use the active directory user database. The clients need only their login/pw (be sure to allow remote login for the user accounts), the IP they use is not of importance in the(ir) pptp protocol.
NAT could make problems. If you are lucky, it is sufficient to change the ports for rdp on the client side (think it is possible) and just map them to the standard ports. (for example: a client that tries to connect on TCP 4000 is forwarded to IP: 192.168.5.10 port 3389, 4001 to IP: 192.168.5.11 port 3389 etc.)
With some protocols (sorry don't know what's the case with rdp ) you need special masquerading modules (don't know whether there exist any for rdp or w2k server) that make NAT possible for that protocol, because it is not always possible to simply change the IP Header information in the packet. Especially with protocols that have security in mind, there may be IP information that is encrypted etc. That's why VPNs are almost always terminated at the firewall.
To set up a VPN with MS w2k server is really easy. It is the routing&ra service. But be sure to use secure passwords for the users that are allowed to connect (disable for all other users!). And really force them to change passwords (group policies). When you are at it disable local login on the w2k server, that is the router, for all accounts except administrator.
And so on..