I need some tips for tightening these methods even more because even at these levels it's not good enough and are legacy. Does anyone do this or offer any additional steps to insulate/iron-clad a weak OS?
If a high secure, but flexible approach is needed I'd look at some kind of DaaS solution, with the hosts inside a protected private network or private cloud, using secure encrypted links between terminals and the infrastructure (with two factor authentication to get log on). Using a VDI approach means you can spin up desktops from gold builds each time a user logs on, and only have persistence of critical files, which are stored, filtered and scanned centrally.
Couple this with using a proxy w/ whitelists for all internet communications where absolutely essential (block internet access otherwise) and you can be fairly happy you're safe.
Depends on the sector your working in, natch.