Alright, here's what I've got going on. I have a home computer/file server/gaming rig running ubuntu 10.04 that I want to use with a physical keyboard/mouse/monitor, via VNC from inside the network (using the same X session), and also from outside the network (what I need help with)

Currently, the system automatically logs in and starts vino-server with my standard user account, which is fine for local use and inside the network. For outside the network, I want to start a second X session, auto login a second (non-sudoers/wheel) user, and start Gnome (or XFCE4 would be awesome) at a lower resolution/color depth. That's mainly what I need help with, I've found guides on starting multiple sessions (even multiseat), but nothing about having two different users auto-login.

That session would start tight vnc server on a different port then the default (something like 5950). That port would then be the only port forwarded through the firewall.

Before anyone mentions VNC over SSH, restrictions in place on the windows client make that impossible. I have set up source IP filtering in my modem, but I'm not 100% confident that my crappy little westell 327w is going to outsmart a script kiddie. The reason I want to do this is to increase security and get rid of the annoyance of having to switch from 1680x1050 to 800x600 every time I log in, not to mention that it would be nice to have a background and be able to play with compiz.

Can anyone help me out?

You could add an entry to your rc.local to start a vnc session on boot, like

not sure if that's the right syntax, but you get the idea, this would create a vnc session for user "username" with 1024x768 desktop and color depth of 8 bits on port 5905 or vnc screen 5. Then in your .vnc/xstartup file for vnc settings in your home folder edit it to start up the lightweight WM you want instead of your normal Gnome/KDE or whatever. Like below, this one from mine starts a gnome session.

I do this with an internal server that runs only CLI on the console, but occasionally I want to do little admin tasks in GUI, so I have it set automatically I don't need to create it every time.

P.S. if using port forwarding just port forward your weird port number to the actual VNC port on your internal server, then you don't have to deal with modifying the connection port on the vnc server. If someone ran a port scan against you when they found port 5950 open they could get that the service running on it was VNC anyways, protection through obscurity isn't really all that possible. btw what restriction are in place on the windows client to prevent SSH, closed port? you could run ssh over a different port, no SSH client or download allowed? put putty on a USB key or CD. No admin rights, putty will run without them and should still be able to setup tunneling, at least it does on XP, as I have used it on a non-admin user account before. I can't speak for Vista or 7 though.