You can run Windows XP without ever getting spyware/malware. Once you have installed Windows XP, create an Administrator account and a Limited User Account (LUA). Always run Windows under this account for your day to day operations. If you need administrator access, you can take advantage of Fast User Switching and simply switch to an Administrator account while staying logged onto your LUA account. At this point, perform all of your administration needs such as installing software, adding security, etc. When you are finished, simply switch back to your LUA account. Since most of the malware\spyware tries write to system files that require admin access, running as a limited user, will SQUASH this like a bug. Give it a try, you will not be disappointed.
Note: Fast user Switching is disabled when you connect to a domain. In this event, you can use the runas command to elevate your privileges.
For more information, check out Aaron Margosis' blog