We have a need to deploy firefox via a virtual application to desktops that do not have internet access to minimize the chance of viruses on these desktops. When the users launch the virtual application, is it within it's own box? Or can the RDS host potentially get a virus from the internet useage?
The RDS host itself would be vulnerable, but the desktops running the Horizon client should be safe as the only traffic they are seeing is the remote display protocol traffic (assuming you have things like USB redirection, client drive redirection, copy/paste, etc disabled)..
like pchapman said your RDS host would be vulnerable.
I think your best bet is to look at ThinApp to encapsulate a browser and remove access to the filesystem.