🛡️ Option #1: "The Bubble": Old Windows behind a modern router + DNS filtering + no browser

This is the safest configuration, but the most limiting.

You'll need:

• A modern router/firewall (pfSense, OPNsense, OpenWRT, UniFi)
• Outbound firewall rules:
  • Block all inbound traffic
  • Block all outbound except:
    • NTP
    • DNS (to a filtering resolver)
    • Specific IPs you explicitly allow
• DNS filtering (NextDNS, AdGuard Home, Pi‑hole + blocklists)
• No web browsing on the old OS
• Use it only for:
  • LAN file access
  • Retro software updates
  • Old game servers
  • RDP into the machine (not out)

Risk level: Low, as long as you never open a browser or email client.

🛡️ Option #2: "The Proxy Shell" -Force all browsing through a modern machine

This is the only way to safely browse the modern web from XP/7.

You'll need:

• Old Windows machine that connects ONLY to a modern proxy:
  • Cloudflare WARP Gateway
  • Squid proxy on a Linux box
  • Browser rendering proxy (Browservice, WebOne)
• The proxy:
  • Terminates TLS
  • Strips dangerous content
  • Re-renders pages as images or simplified HTML

It works because your old OS never touches modern JavaScript, fonts, images, or TLS.

Risk level: Low–medium, depending on how strict the proxy is.

🛡️ Option #3: "The Airlock": Old Windows with a hardware firewall appliance

Hardware firewall examples:

• Protectli box running pfSense
• MikroTik router with strict rules
• Firewalla Gold

Ruleset:

• Block all inbound
• Block all outbound except:
  • Specific ports
  • Specific IP ranges
• Disable UPnP
• Disable SMBv1 on the network entirely

Risk level: Low, but requires networking knowledge.

...

Consider that normies are migrating to devices. Doing critical online stuff like banking through a smartphone app is much safer than through a browser on Linux (for many reasons, not just that some Linux keeps your password in a normal text file) or even Windows. An offline Windows computer is still capable of Adobe, Office, CAD, single player games, etc.