Sorry for how long this is, but whatever I'll just post it.
I support PCs for several people in the family who live near me.
About half of them are on XP, and my argument has been that the EOL status isn't a big deal. IMO 99% of what matters is the actions of the user, not whether it's a current OS. In the rare chance that an application exploit affects someone, it would almost certainly be through the web browser, not because of what version of Windows they have. Besides, I still don't use Vista/7/8 myself, and I dread trying to administer those machines.
My struggle has been to get people to think more suspiciously about what they're installing. Some people have had a bad history of installing malware on their PCs, but I think it's getting better.
For kids, I set them up as a restricted user and then give their parents an administrator account. They can't break anything without their parents' help.
If I have to reinstall Windows on something, I give myself a hidden admin account. I use registry tweaks to make it hidden. This way I don't end up stuck when I'm asked to repair a PC, but I don't have the current login information.
I keep text files with (overly) verbose notes of each installation. Occasionally they're a helpful reminder of what I did on somebody's PC.
Disk Image
-------------
To be safe, I'll normally make a disk image before doing a reinstall, just so I'm sure I can recover any files the user reports missing later. Sometimes I'll also make an image of the clean, working reinstall. But I have to say, I don't think I've ever restored one of those.
When doing disk images, there's some Microsoft utility that can be used to fill all the free space on the drive with zeros. I run that, then do the image. This way the free space in the image is compressible.
Backup software
---------------------
Mostly I don't get into this, but there's been a couple cases where I was worried about the importance of files somebody might lose. I set up an NTBackup schedule in one case, and in another I set up whatever that goofy autobackup system is on Windows 8. Duplicate drives are obviously needed for this to do much good.
MSE/etc
-------
I've been installing MSE for the last couple years, but now it only has about 1 year left of updates under XP and it's a bit of a hassle getting rid of the EOL nag popups which started appearing. I uninstalled MSE from one of the machines, and replaced it with the free version of MBAM. It doesn't have any automatic protection so I just suggested they run it occasionally. I'm not too worried, the users of that machine aren't too virus prone.
I'm also starting to suggest people use VirusTotal before installing anything they aren't sure of.
I use the "disable autorun completely" tweak in WinXP to reduce the risk of infections getting spread through flash drives.
WinVNC remote desktop
---------------------------
The last 2 or 3 systems have had an installation of WinVNC. It is not listening for incoming connections. Instead, the only way for me to connect is if they connect to me using the "reverse connection" feature. I've made note of the exact instructions for this procedure, and I'll just tell them my IP address at that time.
Since they're connecting to me, it eliminates issues with their router/firewall settings and allows me to reach multiple PCs behind the same router. Also, since their end isn't listening for a connection, it closes the risk of them ever getting hacked into.
Speedfan can alert you to problems
-----------------------------------------
One machine is a low budget, late P4 LGA775 game machine for one of the kids. The video card is an issue - it performs well, but it runs hot. I did what I could with the fan controls (used Rivatuner I think), but it still runs hot. I configured Speedfan to keep me informed. It has some alert conditions configured - as the GPU temp rises above 75C I start getting emails (limited over time so I don't get spammed). If the temp crosses a higher threshold then the speaker starts beeping (and I get emailed about that also). They've been instructed to stop the game and let it cool for a while if they hear the alarm. I get the 75C+ emails pretty often, but the local alarm has only sounded once.
I think there's also an email alert for dead fans, or at least there should be.
These emails were meant to let me know when fans or dust need attention. There's been problems with that before when I find somebody's PC in a terrible state.
In the case of this PC though, it just plain has heat problems even though it's clean. At least I've been informed that the problem exists, anyway.
RMClock
----------
I used RMClock on an HP laptop after it needed a motherboard replaced. It permanently undervolts/underclocks the CPU to a range where the temps seem to stay decent. At this stage of it's life it just needs to be reliable, and it's fast enough at the reduced speed. I would have preferred changing the behavior of the fans and undervolting the NVidia chipset/GPU (where the real heat problem lies), but those things weren't possible. The CPU wasn't the real problem, but undervolting it helped indirectly.