Nothing will protect you from application-based malware except a locally executed, periodically updated antivirus that is hooked into the Windows kernel and intercepts OpenFile/OpenFileEx API calls. It works the same on any Windows, from Win95 to Win8.1. The antivirus software is available from many vendors, and it runs on XP just fine (and will continue to run, as long as the vendor has enough XP users.)
IE is yet another channel of virus distribution. Get rid of it by blocking it with a firewall (Sygate, ZoneAlarm and others allow you to block individual applications.) Run Firefox with AdBlock and NoScript addons, and drive-by payload will have no chance to even get downloaded, let alone run and escape the JavaScript sandbox. Your Internet experience will improve dramatically. Firefox is supported and updated regularly, so this channel of intrusion should be blocked on all platforms (XP and Win7/8/9.)
In my use scenario XP boxes are not used for active Internet browsing. They instead have industrial use - they run certain equipment. Nobody touches them for weeks, and certainly nobody surfs the Internet with them. Other people may use XP for Internet browsing, but very simple measures will ensure (well enough) that the computer is safe. Those measures equally apply to any version of Windows.
If the XP machine is networked and in the same environment as systems containing sensitive data (PHI, PCI, or govt data) it is not compliant on April 8th. If the XP machine is not networked or is segmented using a firewall then it would be ok.
Doesn’t matter if its used to surf the internet or not, although that does reduce the chances of an actual incident.
I'd really love to see a similar application under Linux. Yes, you can do iptables, but I'd really like to have a program that could watch all network ports, and prompt you for an allow/deny when it notices something trying to phone home or contact google or something. I've not seen one, and I look around for something that will do that little thing about once a year.