90 days. Also
"You may use the software for testing purposes only. You may not use the software for
commercial purposes. You may not use the software in a live operating environment. "
Even if the licensing terms were liberal, are you going to use an OS that hasn't been issued system updates since ages? It will be riddled with malware the moment you connect to the Internet!
The naive scenario is to fire up those VMs in a network completely contained within your development system and test locally. This makes the VMs safe.
However this seldom works because web sites, even the ones running on localhost, have all sort of external dependencies, from webfonts to third part assets stored on CDNs. So VMs need an access to the Internet and that access could compromise them.
Probably restoring them from the original image after each shutdown is the best way to fix this issue.
You must not remember some of the more memorable worms like blaster. It was a complete nightmare and would own machines that weren't behind a firewall in minutes. Luckily long since patched, but it's only a matter of time for others.
However, I believe these OS-es come with certain presets that will not expose them to the wild-internet immediately. I assume (yes - assume) that MS has enabled the firewalls per default on these images, so unless you use them to browse to certain "entertainment sites" you should be quite ok...
Edit: ok, ran a lab-test (so not the real thing): Windows XP with IE6 on one VM, Kali with Armitage on the other. A "Hail Mary" of 22 exploits did not result in any session on the windows machine...
What can I use them for, for how long, and what limitations are in place?