We're in the process of planning for Flash's retirement in 2020. Our Physics department has some old resources that are flash-based - it's a collection of interactive .swf files that have an exe file as a front end. The exe is based on an old version of Flash Player.
Is it safe to use this software as it's offline? Or should we phase it out in parallel with Adobe phasing out Flash player plug-ins etc?
It's not safe if you use it for resources you did not prepare or do not trust. All Flash Player vulnerabilities are based on carefully made SWF files which exploit weaknesses.
There is going to be a lot of content in existence that will remain useful and relevant after Flash Player arrives at its end of life. There are well-established techniques for preserving and isolating legacy software in modern environments (Citrix Receiver, etc.).
Flash Player, like the browser and operating system, is tasked with processing untrusted content. Limiting it's use to processing trusted content is definitely a valid risk-mitigation strategy.
How strictly you want to isolate Flash really depends on your circumstances, available resources and your environment. There are plenty of Java applets still floating around the world's Math departments, which suffer from the same core set of issues and browser restrictions. (They're also PAINFUL to use in 2018)
I'd also wonder about the long-term viability of that application on Windows 10. If it's a really old copy of the Flash projector, it's pretty cool that it's survived all of the API deprecations that happened between Windows 8 and Windows 10. It it was Mac, it would most certainly be broken, and while Windows is more conservative than Apple about API deprecations and backward-compatibility in general, those changes can and do happen in all operating systems. Part of what we do over here on a day-to-day basis is ensure that this 20-year-old software package continues to work on modern operating systems and browsers.
If it were me, I'd probably offer students the application on a virtualized, ephemeral Citrix instance. It doesn't even really need network access. That's probably way overkill given the already-limited threat surface, but you're looking for guarantees. If the machine gets popped, it's state doesn't persist beyond the user session, and limiting the access of that particular host reduces the risk of an attacker pivoting on your network from the compromised host down to near-zero.