Use a Live CD with a lightweight client that doesn't need to download the entire blockchain. Keep the wallet on a separate USB key so you can keep any generated change addresses (since a LiveCD is read-only). This should be pretty effective unless the hardware itself is compromised.. If you're worried about the machine being exploited while online performing the transaction, you could limit exposure somewhat by generating an offline transaction.