The naive scenario is to fire up those VMs in a network completely contained within your development system and test locally. This makes the VMs safe.

However this seldom works because web sites, even the ones running on localhost, have all sort of external dependencies, from webfonts to third part assets stored on CDNs. So VMs need an access to the Internet and that access could compromise them.

Probably restoring them from the original image after each shutdown is the best way to fix this issue.

Use? No. Test with? Certainly.

I would almost say "challenge accepted" - this calls for a little test!

I don't believe that the images that Microsoft made available are so vulnerable as-they-are that they will be infected within hours...

You must not remember some of the more memorable worms like blaster. It was a complete nightmare and would own machines that weren't behind a firewall in minutes. Luckily long since patched, but it's only a matter of time for others.

True - those were the days...

However, I believe these OS-es come with certain presets that will not expose them to the wild-internet immediately. I assume (yes - assume) that MS has enabled the firewalls per default on these images, so unless you use them to browse to certain "entertainment sites" you should be quite ok...

Edit: ok, ran a lab-test (so not the real thing): Windows XP with IE6 on one VM, Kali with Armitage on the other. A "Hail Mary" of 22 exploits did not result in any session on the windows machine...

Actually, you can update with windows update. It will take a lot of time though.

But when was the last update for Win XP ? 2 years ago ?

So use Windows 10.