I presume this is behind a corporate firewall, and users have to VPN into it to hit this payroll system page.
That's foremost. It shouldn't be published directly to the 'net -- anyone can and will find it, and bruteforce passwords, hack away, etc.
So that way, you're limiting to your home users. Still not ideal for the points you bring up, primarily: they may not have up to date/patched/secured PCs themselves.
Which means, for instance, they could be compromised, and with keystroke loggers on their PCs, which gives anyone full access to your site, including VPN info -- if your VPN is limited to username/password for security.
You should consider additional security measures, like, ensuring all machines that connect are 'sandboxed' until they're patched and up to date/virus scanned, etc -- then allow access to internal network. Not foolproof, but a good start.
foolproof is not allowing it to begin with :-)