One online machine. 2 instances of armory installed in separate folders. One can access the internet. The other is blocked at firewall level. Or even better in a virtual machine that has no network access.
Ah, so you only have one machine... In that case, the setup you describe would probably be "safer" than a "normal" desktop wallet, but defenatly not as safe as a proper airgapped setup (or a hardware wallet, or a properly generated paper wallet)... a VM with an encrypted disk and no network devices, nor using a shared clipboard might actually be a reasonably safe setup (albeit, you'll need a procedure to transfer signed/unsigned transaction back and forth with the use of a virual usb or something). I'm also thinking about applying patches to such a vm, since it's still located on an online pc, I'd still regulary apply patches, which would be a pain for a vm that doesn't have network interfaces...
An option if you have one machine would be to boot tails and use it offline for your wallet with the private keys, then reboot to your "normal" online OS to create the watch-only wallet. This way you'd have a proper airgapped setup with only 1 machine (so you don't have to "sacrifice" a device for holding your airgapped wallet)