Well, the last two posts really hit it, but if you read my security articles, it's like this:
1. Never connect a Windows PC directly to the internet. Put a home router (at least) between your internet connection and Windows. Even a basic NAT setup is going to be a hindrance to internet worms and the like.
2. Use the Firewall built in to Windows. It's not perfect, especially since it has very limited control of outbound traffic, but that also means it doesn't harm PC performance and users can't permanently block something that's really important... which is something I've seen dozens of times.
More importantly, the Windows firewall means not having to fight with Firewall software over turning on things like Windows File and Printer sharing, or dealing with completely unfamiliar interfaces for finding where to even have that fight.