I don't understand. The Gateway is on an anon middle box (the laptop), and Windows is the workstation? So it's not really Whonix, it's just Windows + an anon middle box. Or do you mean, the Gateway is on an anon middle box, and run the Whonix Workstation (Linux) in a VM on Windows? You're right, and Qubes violates the principle of software simplicity. Excellent point. This is why we need to talk about it. Disregarding Qubes, I would tell them to run option #3, router with a VPN in another country + anon middle box running Tor + a popular Linux OS. If they can't afford the hardware, I would tell them to run Whonix on a Linux host.