WIndows ICS is literally a macro, which enables the built-in routing services in Windows, so it becomes a network router, providing network address translation for network connected to a secondary LAN port. The level of vulnerability depends much on how the WIndows machine itself is connected to the Internet. If your computer is logically a server, so it has its own dedicated global IP address, it's exposed to any kind of port openings and requests from the whole Internet, and has to deal with any kind of attacks designed for Windows servers. In most cases, it's better to use a dedicated router as a firewall and not a general use PC at least as long as you're not a professional network administrator with a some unix-based network server having better performance in procesing network packets better that some middle-costed hardware box.
But as long as you are hidden behind network gate or a series of gates, your LAN isn't directly exposed and isn't directly accessible from the Internet, untill a specific ports are forwarded from the global-level router all the way down to the endpoint device, or such a forward is established using uPNP. However, sitting in the same network area with vulnerable machine can put the whole network segment under attack.
If your vulnerable, retro machine is connected to the shared gate, such as home router in the same LAN with other devices (computers, printers, wi-fi clients, smart house, etc), it won't respond to any direct request from the Internet until you forward some game-specific port right to it. However, if the gaming machine opens a connection, and then some hacker takes control over it using exploit in a game/game protocol, whatever, they'll be able to execute a random code on this machine and set up the OS in a way that during boottime it could open a special connection to the host on the Internet, controlled by the hacker and wait for a request to pass the control over itself to the hacker. Then, in theory, the hacker can act from inside and can analyze network settings and try to attack hosts which are in the same LAN as the gaming machine, And this is where the danger is hidden.
In the different scenario, when the gaming retro PC is connected using a PC as a router, e.g. using Internet Connection Sharing on two-port WIndows PC, there will be a different network segment and the scope of visibility for infected gaming machine will be it's own internal network segment and its own internet gate, e.g. the routing Windows-machine, so it will be visible and vulnerable for attacks as well, no matter if it's behind NAT or connected to the WAN directly, but other devices will be invisible for the gaming machine. Of course, you can protect the routing machine from such attacks with a set of firewall rules, preventing the gaming client from opening any ports but absolutely needed for it's direct tasks. In this way attacker will have a lot less chances to attack the routing PC, but still, PC is physically accessible, like if it would be directly exposed to the Internet.
Assigning an individual network segment via VLAN could be a good approach to separate data flow between your main PC and retro-gaming PC with non-confident security.
Example: you're using something like Microtik Routerboard (or actually almost any decent router which isn't the cheapest in the world) with per-port VLAN assignment, and you have some ISP WAN assigned to port 1, your LAN 192.168.0.0/24 assigned to ports 2-7, and another LAN 192.168.3.0/24 assigned to port 8. In this case, your machines will be in different networks, however you'll still be able to exchange data between them via router, using routes tables and firewall tables at Microtik, but you can set it up in a way that only Windows-10 machine can establish, say, FTP connection to the DOS machine, or SMB (edit: no, SMB won't work between masquaraded networks, it's better to use another way of exchanging files. FTP is actually perfect) connection to WIndows-98 machine, but the retro-PC itself will be absolutely unable to initiate a connection and reach your WIndows-10 Machine or any other non-allowed host in your network without direct permission from the router which we trust. So even if something will take full control over the retro machine, it will be technically locked inside a quarantine zone. Of course it could try to take over the router, but as with the routing PC, you have to keep it updated, protected with a strong password and you can simply deny opening any ports associated with shell, web-interface or any other kind of control over router from the retro-segment using INPUT chain in IPTABLES.
All of that isn't supposed to be simple but that is the theoretcally correct way to isolate a weak device from other sensitive devices in a physically shared network using just one firewall/router/smart switch