Get a thin client such as an HP t610 and use Enhanced Write Filtering to protect from any changes.
You can set a system baseline and lock it down with EWF. Once locked down, any file calls from the operating system or software are intercepted and redirected to RAM. No changes are made to non-volatile memory. Once powered down, the system expunges all changes and reverts to the baseline you set.