Enforcing a Restrictive Firewall Policy?

Due to the nature of the work in my home office, I have to maintain some computers with obsolete and unsupported operating systems (Windows 7 and XP). I have no sensitive or personal data on these machines, but a couple of them are also dual-boot (Linux) and so I can’t entirely wall them off at the router. Plus, since it is a home office, I do occasionally relax with some retro games on these machines which don’t work well under Windows 10.

I would like to mandate a very restrictive firewall policy for these computers. Basically, I would like for them to be able to receive any OS updates or activation info from Microsoft, updated endpoint protection and antivirus updates from Comodo/Itarian, and aside from that really no traffic which is not related to an outgoing request. I’d like to do this in such a way that it’s difficult for an attacker from outside to override even if I do inadvertently download and install some malware which is not caught (at least at first!) by my antivirus.

Suggestions?