Now for a couple of tips that I employ on the network. Maybe they are relevant to you, maybe not but if they can help then all the better.
1. I don't delete the Guest account, rather leave it disabled. There have been short notice occasions whereby the Guest account has proved useful.
2. The sa account remains disabled at all times unless an authorised DBA requires it. It has as you have done, a complex password which is stored in a secure location. Unfortunately, stopping anyone from having the sa account may not be something that is allowed within company policy, but ensuring tight restrictions will certainly help.
I understand you concerns about having the .mdf and .ldf(?) files in a shared location! What is the reasoning behind that? Both files will be in constant use and cannot be modified at the file level. Is it planned to take the database offline and copy the files to another location on occasion? There are certainly some funny things going on with this particular customer I would say!
You mention quite often using the Group Policy Editor. Is this machine in a domain environment? If not then editing the Local Machine Policy wouild be far better although it will still be very restrictive in what it can do.
As for accessing a Windows 7 machine: RDP or Windows Remote Support utilities are the sorts of tools you need.
To be honest, I would strongly recommend disassociating yourself from this project because from what I have read up until now it can only end in tears.
A production database on a laptop.
Unlocked and widely available sa credentials.
User access to mdf and ldf datafiles.
Uncertain security settings to the host.
Disrespectful treatment of company data.
Uncertainty about SQL Server management.
This story is unlikely to have a happy end. Do your nerves (and your reputation) a favour and get the f*-/ out of Dodge!