Most of the experts I know, myself included, use nothing other than the operating system for security, along with hardware solutions.
On Windows: File permissions, group policy, service restrictions, etc.
UNIX and Linux: Compartmentalization systems such as chroot jails, SELinux, AppArmor, careful configuration of user accounts and permissions, etc.
The problem with relying on software for security is that it can introduce new holes instead of actually mitigating vulnerabilities. Isn't it better to simply not get compromised?
My corporate network is divided into four segments. The employees and office, the server closet, my private test network, and the zone where our public servers are located. We have three active IP addresses, all going to Cisco PIX firewalls. One runs the office network, one goes to the public server zone, and the last goes to my private network. The server closet connects through the DMZ that contains our public servers via a second PIX. Internally, traffic between zones is controlled by specific rulesets that are defined by what each zone actually needs.
In the offices, I have forced everybody to use Internet Explorer 8 and Outlook so that I can effectively prevent malware. IE runs as a separate user with a custom set of file permissions on the disks. The IE user can only read/write to the home drives and temp folders, and lacks permission to execute anything from those areas. Ergo, malware can download, but then it can't run. Clean out the temp folders each week, and the systems stay clean.
I don't bother running antiviruses or software firewalls on the desktops since they tend to do more harm than good on enterprise networks. The Exchange server, and the file server containing most user's home drives runs Nod32 in case the employees decide to do something stupid on their own. Normally, I would just leave the antivirus off of the mail server and simply restrict attachments, but we have to send numerous executable files and scripts through email and it's simpler to just run the AV.
All of this can be done on any version of WIndows, including the home versions. Microsoft just hid the functionality. You can do group policy restrictions through the registry, and advanced file permissions are available by either running the CACLS command line utility, or booting into safe mode. You may have to disable simple file sharing to do that.
Each environment is different, and you have to consider all aspects of it before deploying any sort of security. Remember that strong passwords are good, but requiring a password to be overcomplicated will only make users write it on a sticky note or something equally insecure. A longer password is better in many cases. In fact, if you use a password of length greater than 13 characters, you can actually invalidate the LANMan hash system that Windows uses to store passwords, forcing it to only use a more secure algorithm. THis also will prevent attacks against the LM hashes that are used for compatability with older systems. The same effect can be achieved by using unicode characters 0179-0200 in the password as well.
Antiviruses are not a bad idea for less experienced users, but they do not provide security, they simply clean up after a compromise has occured. This is certainly better than nothing. The only real problem I have with them is that it is difficult for less experienced users, and even IT pros, to find a good one. Avira, Avast, Nod32, Kaspersky, and MalwareBytes are the only ones I ever really recommend. Nod32 is by far the best heuristic engine available, but it's not free, it's not expensive either... about $40.
Installing a firewall *is* pointless. The Windows firewall is more than sufficient, and has a much higher assurance level than 3rd party offerings. It is bidirectional, regardless of what some people say. It has been that way for most of the past decade. The real problem I have with firewall is that they don't do anything useful. Ok... they block access to open ports... If you don't want people accessing a service, shut it down. A closed port cannot be exploited. Ever. It's impossible. Also, the idea of "stealthing" ports is idiotic.