You could put power switches on Molex cables powering harddrives to make them physically inaccessible to attackers when internet is connected. On these old drives, one could set the jumpers to master on the switchable disc, so that one selects operating system with the button. When both drives are active, master takes over and boots without internet nor network drivers, where the slave drive is treated as quarantine (read as plain text, but don't copy nor execute). When only slave is given power, a clean slate system boots with internet but no physical access to protected files. The account should not have any admin permission to flash the BIOS. Then browse through a virtual machine with a write protected virtual disc.
If one does not have two harddrives, one can also just disconnect the only harddrive's power and live boot with Tails OS and a Tor browser from a DVD.
Today it's however very cheap to get physically separated mini-computers, which is even more foolproof. Then never connect any internet to your work computer.
