Yes, it can still be attacked, using a web browser (or anything else, really) on a seemingly secure device on the same network as a proxy of sorts. There’s a lengthy paper on this method. As it explains:
JavaScript loaded from a malicious site can connect to services running on the user’s local computer (localhost) or on other internal hosts in many circumstances. Modern web browsers do not completely prevent attacking the internal network using a victim browser as a proxy. In fact, not only can we have the victim browser send requests internally, but we can also discover internal hosts, do limited port scanning, do service fingerprinting and finally we may even be able to compromise vulnerable services via a malicious JavaScript.
In essence, this is a specific case of cross-origin request forgery or cross-site scripting. How well this works depends on what the XP device is doing.
Keep in mind that the browser can even be used to exploit some non-HTTP targets. After all, the goal is not getting an HTTP response, but rather making the target device do things.
Note that this type of attack doesn't require the "proxy" computer to be compromised in any way, just to run JavaScript from a malicious source. It doesn't even have to have visited a malicious website, since malicious content is sometimes smuggled into legitimate ad networks, and therefore loaded from pages on completely innocent websites (a practice known as malvertising).
tl;dr: Your XP device must also be secured against attacks from the local network.
I recommend using a VM (with NAT connectivity only, not bridged) instead, unless 3D acceleration is absolutely required.
