kail is correct in saying there are far too many unknowns. For starters, what are the security constants of the XP system? Oh, and soft-disconnection of the XP system (that is, to disconnect via the network manager only) does not prevent malware from going out, trust me on that one. It happened here. And I agree with kail that using wireless exposes others to threats. If it happened here, I don't see why it shouldn't happen to others.
Formatting does not eliminate all malware. Some of them still manage to reside in the MBR or if you're using the XP installer to format, escape deletion somehow (not sure how this was possible, but active remnants of sixteen malware remained after a complete format).
My advice is to run Linux with LXDE environment (for minimal system resources), install a VM if it works then run the testing there. Avoid any other browser but IE and force it in a sandbox before testing. That should pretty much minimize the damage.
Having one system turned off prevents infection from spreading, but if it were using wireless, the infected system exposes other systems to threats.
I'd like to share how I used to do my testing (I no longer do tests). See if you can get anything from it:
What I need:
Bootable Linux USB
Dual-boot XP's: FAT32 and another with NTFS. I'll refer to them as XP1 and XP2)
XP1 has FAT32 file system, Sandboxie, and whatever suite I'll be testing, ProcessHacker, Unlocker
XP2 has NTFS file system with custom file permissions for particular folders, LUA+EMET+Wondershare Time Freeze 2, Easy File Locker, Unlocker, Sandboxie+BSA, and my preferred security setup
1. Before running tests, make sure that the AV (I'm assuming you're testing a suite or an av) is already updated.
2. Download the samples via Linux and archive them to keep them from running. Copy them on the XP system
3. In the XP system, I have Sandboxie installed and force IE to be Sandboxed whenever it is run.
4. Final updates before extraction. Turn off the wireless router.
5. Extract and run EACH malware in an isolated folder (I mean to say in a folder of its own). This is strenuous and time-consuming, but it allows you to identify which went undetected. This will be helpful in tracking it down later.
6. List down detected and undetected malware. Undetected malware are copied from the Linux built and analyzed via ThreatExpert/Sandboxie+BSA (if upload fails). Behavior is analyzed and logged in a text file. Copy the text file to the bootable USB.
7. Boot from the Linux USB and manually remove remnants. (Do this while still possible. You don't want errors while formatting. Too time-consuming and wears out your patience and hard drive.)
8. Reboot to confirm activity. If no activity is traced, proceed to formatting and reinstallation.
I had no trouble with this setup before.