Otherwise, look at VirtualBox for a really free virtual machine.
Or maybe try andLinux. This runs a co-operative Linux Kernel under Windows, with software. Install Firefox under andLinux, configure a desktop icon, and she can browse to her hearts content, and nothing will infect anywhere. Firefox under Linux is pretty close to Firefox under Windows, so she should be OK functionality wise (you will probably need to install Flash and stuff, though).
A new machine will get just as infected as the old one. The solution is preventing infection in the first place, or sandboxing the browser from the rest of the system so nothing can infect the main part of the system, and the browser can be rolled back.
I’ve got to say, there is much to be said for not letting users run as administrators. It has worked for me for years, but it does mean that every few months I have to respond to all the “XXX needs to be updated” messages my wife gets fed up with. But I don’t get malware.
Without the hassle of a virtual machine, build an administrative security policy blanketing the antivirus, firewall, and for that matter any other rights you need to block.
Once your strategy is strait, block the admin account, do a backup or ghost, and let your sister go. As long as your AV protection is behind your admin blanket, she won’t be able to touch it, I’m not sure that you can hide what you have done, but you can block access rights all the way down if you want.
You can even go about it the other way around (the right way), but you will have to define by hand exactly which rights you will authorise for each account as if you were the adminstrator of a network