Infections of that nature are likely to effect the individual user's computer, more than "the system". Somewhat in this realm, we're currently "under the radar" and I don't imagine many to be tailoring things to explicity exploit our systems. The key word being currently, this is likely to adjust. Possibly rapidly. But to analyse "possible threats" from the user being infected model, the common condition inflicted on users of note currently is "ransomware" - this is undergoing evolutions currently to infect IoT devices too. Ransomware can be trivially mitigated by two simple principles, you have everything you need access to read-only, and only allow write access to the smallest possible areas as the needs require - massively limiting the possible damage such a thing can cause. The other goes hand in hand, and like any good strategy in case of failure in the first mitigation policy it will cover any deficits - and that's laugh, then restore from backup. If you cared enough about your data to consider paying a "ransom" to restore access, you'll of cared enough about it to have backups... If/when we have collective access to a storage pool, this being mounted when some user gets infected with such malware could potentially extend to lock those files equally. If that's a shared pool, then it can impact access to multiple users. The previously mentioned solutions - specifically backups, preferably in father/son/grandfather rotation - should serve to minimise impact. Other potential infections a user picks up could be able to leverage the stored authentication for accessing these forums - and at a later date, other services - and begin onslaughts of spam. Currently this isn't viable for most breeds responsible, but they can be trivially adjusted. Assuming this isn't covered by any existing IDS, Tools like "fail2ban" can be used to patrol logs and if you can define a set of "behavioural constraints" (say, issuing eleven posts in ten seconds - clearly not "normal user activity") along with a way to respond (Say, Pass timestamped event log to admin, and trigger a script that will get lists of associated posts, and deliver them to applicable mods for clean-up, after locking forum access to the account) it can act on your behalf with ruthless efficiencies. It should be trivial to mitigate total damages to "the system".
As to an infection getting a foothold into "the system" from an infected user... Reasonably unlikely. The OS appears to be a breed with a naturally good security model, so if regularly updated and patrolled with things like clam and rkhunter it should prove to be reasonably resilient. Assuming sensible deployment, say in a container, the HTTP server - what devlivers contents to browsers and the software specifically interfaced with the user(s) currently - should be running as it's own user. This user will have quite limited permissions, so in the event of compromise to that element, it's unlikely be able to do much to "the system" - But the permissions it needs could lead situations where it can be used to deliver hostile content. The next layer up from that would be the "software" used in the web pages itself. Deployed sensibly and regularly updated, this should equally prove to be resilient. With a sane development cycle, there will always be available copies of it in it's last "known-good" form, so should provide for trivial "restore to factory" in the event that this is somehow manipulated.
I wouldn't of said there is a "safe" OS, just differnt levels of vulnerabilty. The "safest" OS is commonly considered "open source" - The code it is built from is publicaly displayed. Anyone can poke through it and look for nasties, amongst other things. Sure not everyone reports these problems so they may be fixed, but most do. Over time, over everyone, every problem should be found. Eventually. Most open source projects take "community contributions" and as a result have large nummbers of people adding to the source, improving it, solving bugs, patching holes - This is how we should be doing things, IMHO, we can work in paralell on the same project and many hands make light work - Selecting one with active development is almost essential, as this is still undergoing the production cycle, recieving bugfixes and security updates.
Most frequently, this will be *nix - some breed evolved from unix, commonly linux. Linux appears to have some reputation as something difficult to use, but almost any "modern" distrobutions will default to a pretty clickable GUI which is just as easy to use as winhoes, and in some cases offers more features. The inherent security model makes infection without express permission of the user unlikely. Where windows has in some cases millions of varients of a single "virus", and almost as many breeds to have varients of, linux has but a handful - the larger number appearing in more recent years in response to it's increased adoption, and almost all requiring some form of permission element to do anything outside of the user's /home, limiting the range of damage possible to the user's personal files. These are commonly mitigated in the natural update cycle, meaning most available virus is denied the method it uses to leverage control in the first place - rather than attack the symptoms, neutralise the cause.
For a winhoes user's first forray into Linux I would suggest Linux Mint. Mint has a few interesting project goals, one of them being to eliminate the requirement to use the terminal(command line interface) - which they have done remarkably well, it's not eliminated entirely, but the average user can do almost anything they would need without it - and have a active support community that should be able to assist you with any issues you face. You can freely download a "live disc" which can be written to a usb stick using tools like unetbootin or pendrivelinux, or burned to optical media for booting. Hashes are provided so should you choose to download from any mirror or torrents, it's possible to check what you downloaded is what the team uploaded. It should unpack itself entirely to RAM and thusly not impact the existing system, until you select to install it. From that generated media, it should be possible to boot and use the OS. As it's running in RAM installing extra things it doesn't come with won't be too clever, to ignore possible space limitations a simple reboot will destroy changes. This "effect" is also useful for learning to play with a new OS, as if you manage to break it, and this shouldn't be easy, a reboot will fix it. For the average user it comes with a reasonable range of open source tools installed, notably libre office, but will be able to do many "common" tasks you'd expect to do. A "nice" feature is it comes with an IRC client, which when opened automatically connects you to their help room, making it really easy to get questions answered.