If you turn off JS and all the other features (ActiveX, etc.) that should've never been allowed on anything other than sites you fully trust, probably a very long time.
I wonder how much malware now just refuses to run on XP because it attempts to use functions that were introduced in later versions.
If I was going to attempt this with a VM, maybe I would try to perform a checksum on every file first then recheck everything after an hour (from a powered down state) and look for changes. I would be concerned that any malware would simply be a downloader for something which is undetectable to AV.
Probably the wrong place to ask, but this seems like such a fun experiment to try but maybe more difficult than I initially thought.
I wonder how much malware now just refuses to run on XP because it attempts to use functions that were introduced in later versions.