is it necessary from security point-of-view, to replace these XP-PC's with new PC's.
No, it's not necessary to replace the PCs. But it is necessary to upgrade those operating systems (this may also involve replacing those PCs - we don't know. But if they are running specialized hardware, then it may be possible to keep the PC).
There are so many real-world stories about supposedly "air-gapped" PCs being infected. This can happen regardless of your operating system, but having a super-old non-updated operating system makes it even more at risk.
Especially as it sounds like your computers are protected by a software restriction to block internet access. This is likely easy to bypass. (caveat: I've never heard of this Panda web access control, but it certainly looks like on-host software).
The problem you are likely to face is a lack of vendor cooperation. It is possible that vendors refuse to help, want to charge $100,000 for an upgrade, or have plain outright gone bankrupt and the IP thrown away.
If this is the case, this is something that the company needs to budget for.
If there really is no option but to keep at 16-year-old operating system running unpatched (maybe this is a million dollar CNC lathe or milling machine or MRI), then you need to do some serious hardware-based host isolation. Putting those machines on their own vlan with extremely restrictive firewall rules would be a good start.
It would appear that you need some hand-holding in this regard, so how's this:
Windows XP is a 16 year old operating system. Sixteen years old. Let that sink in. I would think twice before buying a sixteen year old car, and they still make spare parts for 16 year old cars. There are no 'spare parts' for Windows XP.
By the sounds of it, you have poor host isolation. Let's say that something gets inside your network already. By some other means. Someone plugs in an infected USB stick. It's going to scan your interior network and propagate to anything that has a vulnerability it can exploit. A lack of internet access is irrelevant here because the phone call is coming from inside the house
- This Panda security product looks like it's software-based restrictions. Software can be bypassed, sometimes easily. I bet a decent piece of malware could still get out to the internet if the only thing stopping it is a piece of software running on top of the networking stack. It could just get admin privileges and stop the software or service. So they don't really have no internet access at all. This comes back to host isolation - with proper host isolation you could actually get them off the internet and maybe limit the damage they can do to your network.
Honestly though, you shouldn't need to justify replacing these computers and/or operating system. They will be fully depreciated for accounting purposes, they're likely well past the end of any warranty or support from the hardware vendor, they are definitely past any kind of support from Microsoft (even if you wave your titanium American Express in Microsoft's face, they still won't take your money).
Any company that is interested in reducing risk and liability would have replaced those machines years ago. There is little to no excuse for keeping workstations around. I listed some valid excuses above (if it's totally disconnected completely from any and all networks and lives in a closet and runs the elevator music I might - MIGHT - give it a pass). It sounds like you do not have any valid excuse for leaving them around. Especially now that you are aware that they are there, and you have seen the damage that can occur (I assume you were writing this in response to WannaCry/WannaCrypt).