Tell me about it, I caused some fireworks by pointing that out too.
They were quite defensive until I sent them a vulnerability report for the AV version from years ago....
As the thing is 1100km away I'm reluctant to do too much with it, have restricted it's inbound access to our local network and will let them look when the sun comes up.
I have had one thought, dead RDP sessions are set to time out, one guy leaves here two hours before the weird activity and I'm not sure what happens to the local network shares he has open (on the SME) when an RDP session is times out. - RULED OUT (manually reset his session)
--
I have found that one RDP user had short cuts on the remote desktop to the local server ibays that are affected. This activity must be related to that but I'm not sure if it is normal for Windows to query a (closed) RDP users network short cuts for those kind of files at some time, still looks dodgy.