sure you can. but the instant they're part of a botnet attacking someone, you, it's owner, should have to do something about it. We have fire code to regulate what people build so they're not a death trap and this wouldn't be so different.
I wouldn't. But when the device, which happens to be running windows, takes part in a DDOS attack, I wish we could do something about that, rather than have to buy our way out of the problem by having a bigger pipe and sinking traffic, because it means that you have to be blessed by the powers that be of the Internet(Cloudflare, AWS, GCP, etc) in order to stay online in the face of a DDOS attack.