Surely, using Win 2003/2008 R server Admin you can limit and modify the the usage policies associated with your win XP users
As I said.... built-in or third-party security... running on top of XP is as good as having no security whatsoever. It'll all be exploitable via bugs in the APIs.
As le Pingouin said. If you insist on using XP, then I insist on you only using it with the internet unplugged ... permanently. Anything else is not an option.