I note that the usage case is running ancient software to control ancient but still valuable hardware. IMO the only good reason for keeping ancient OSes alive.
The answer is a strict network block on a firewall between XP and the internet. Also strict restrictions between it and the LAN. Any packet from its IP address or its MAC address arriving at the firewall, gets dropped. Any incoming packet fron outside to its IP address, likewise.
The average NAT router can't do this. A Linux system used as a firewall, can. That same Linux system can allow XP to use SMB1 or FTP or whatever, to copy data from itself to the firewall machine and nowhere else. This data can then be further copied from another host on the LAN. Sending stuff inwards does the same in reverse, but security-vetted personnel only, and there had better be a good reason!
XP box -- single x-over Ethernet Cable -- Linux box Ethernet port 1
isolated network, two fixed class C private addresses.
software (no packets cross this firewall) +
staging storage, preferably readonly from your LAN
Your LAN -- ethernet --Linux box port 2
fairly normal LAN connection, a different class C private net.
Users will hate this. They want to browse the net while the machine does its stuff. If you are certain you have the zero-routing firewall set up right and the XP-accessible filestore suffickiently well protected from their browsing, maybe you can let them browse using the Linux box.
Oh, and make sure you have an image backup of the XP system's disk, so if anything bad gets through (or if XP nukes itself, which isn't impossible), you can entirely erase the disk and restart from the backup.