Why remove working ATMs?
I can guarantee that by isolating a Windows 3.1 install behind a firewall that only allows outgoing connections, it will be more secure than Linux, Windows and even OpenBSD.
Being based on POSIX / BSD sockets, the Winsock network stack isn't really that flawed so an outgoing connection should never really pose a security risk any more than a "modern" OS.