Moved to ePO for better support.
Look for the ePO Product Guide to answer your general questions about how McAfee works.
There's a lot of discussion in your post about what you "have to" do and very little about what you're trying to accomplish. If you want any kind of Anti-Virus protection on your systems, you must install the VirusScan Enterprise client. The McAfee Agent is only for management of the system and installed McAfee products, while the VirusScan Enterprise client provides anti-virus services.
ePO manages clients through the McAfee Agent. It doesn't matter if the managed system is in the same domain as the ePO server, or if it's standalone. As long as it has network connectivity back to ePO, and the system has the Agent installed with the correct configuration (i.e. pointing to the right ePO server), then ePO can manage it and serve software updates, DAT updates, and policy changes back to the managed system.
for the first question you have to create a client task to install the anti virus from epo server and then install the agent it will automatically install the VSE
for the next question if the workstation are communicating with epo server you can fallow first step. if they are not communicating then you need to install anti virus only,
the agent is only for communication with your epo server and take updates form your server
1) You deploy the agents, and after that you can deploy VSE directly with a Client Task from ePO.
2.1) You always install the agent to manage all your endpoints, in or out your network. Don't care about the domain.
2.2) If that subnet has ePO conectivity, no problem. If not and it only has internet connection, you can install an Agent Handler on your DMZ.