Way to force ssh tunneling to be required for Screen Sharing

I have enabled Remote Management on a mac. Everything works fine when I connect from another mac using Apple's Remote Desktop app. However, I also want to have a client on a windows machine. In that case can I go to the computer settings under Settings > Sharing > Remote Management and there is an option "VNC users may control screen with password" where one can give a password for accessing them.

From what I understand the initial transaction of exchanging the password is done securely. However, all subsequent transactions are not. This implies that when a user attempts to login to the machine and gives his/her actual password, then that password is out there without any encryption what so ever. So, what I would like to do is to allow VNC connections only when the client has already established an ssh tunnel with the server/machine. However, I do not see such an option anywhere.

So, what I really want is to force this ssh tunnel on the client side. On the other hand, just letting it to good will of the clients is not a good idea, especially if I rely on people running windows to have to remember constantly to tunnel say through putty and only then attempt to use vnc.

Moreover, Apple's Remote Desktop app does allow full encryption for all interactions by selecting an option under preferences > security (on the client side). I can be OK with that in the sense that this option should be enabled once, and from that point and on all subsequent interactions will be encrypted. (By the way, is there a windows program out there with such a simple option so that one can use it under windows and connect to a mac?) However, the problem remains here as well, as I am not sure how the server would force all the transactions to be encrypted. There is again no option on the server side for such a thing.

Is what I am trying to ask irrational?

I am looking forward to your answers.