Air-gapping Windows is secure enough if you have filled all your USB ports with epoxy and use PS/2 ports for your mouse and keyboard . . .
One of the problems is the huge amount of software out there that depends on .NET 2.0 (yes, I know that 3.5 supports it, but it a PITA to get Windows to install it - IOD my ass).
Another is all the not so old hardware around that only speaks CIFS/SMB1 and you have to install chatty old CIFS.
So long as there is physical access to the machine (which includes you using it and plugging in a USB drive with stuff you brought home from work) there is no absolute security.
And the more you secure a machine the harder it is to use as a normal PC.
That said, it
is possible to secure Windows tighter 'n a mouses ear'ole, but it requires an intimate knowledge of Windows internals and far too much time for me.
Best assurance is lots of
tested backups (I've ditched MS' useless product and gone over to Macrium - much better) and a
tested clean system image tucked away somewhere.
There isn't much you can do about the cut-down MINIX os embedded in most modern mobos though - just pray.
Mac