In the good old days of windows XP, I didn't install an ethernet driver. That isolated windows effectively enough. Today, 7 works out of the box, and I go for "change adapter settings, disable".
For cad / uni work, I tend to use a windows install without access to the internet. This has proven a very effective way of keeping viruses out. The same computer has a few other operating systems installed though, and the day-to-day windows and linux systems do have internet access. I don't want to repeatedly unplug an ethernet cable, hence the above set up.
I suppose malware could infect the windows install that can see the internet, assign a drive number to the offline windows partition, and attack it. So far this hasn't happened.