Can’t add much to this other than to pretty much +1 the entire thread. Good work.
AVG used to be the best, however it’s got progressively worse since about v7.5.
MSE is the best of the free outings currently. If I were paying for AV I’d go for Kaspersky but, in honesty, there’s little point.
Firewalls, if you’re behind a router then there’s little point in an additional “personal” firewall. It’s considerably easier to punch through a software firewall than it is a hardware offering running on an entirely separate device.
Any sort of “total internet security” offering is typically more trouble than it’s worth. They’re often resource hogs, stop things working, and either don’t tell you why things don’t work or ask you pointless questions every five minutes (“process ehej53.dll is requesting access to your computer – [allow | deny]” – who knows?!).
As Rio says, run one and only one AV unless you want a world of hurt. Make sure you completely uninstall AVG before installing MSE.
Packages aside, make sure your system is up to date. Run Windows Update until it stops offering you patches.
Make sure that you’re using the latest versions of Java and also Adobe Acrobat Reader / Flash / Shockwave / Air if you have them installed. These are probably the most common attack vectors I’m seeing at the moment. Java installs separate copies every time it updates – it’s worth removing all the old ones.
Secunia PSI is a neat way of checking for non-MS updates. It’s a little “ZOMG YOU HAVE TEH INSECURES!!!” but so long as you ignore that, it’ll highlight what can be updated.
Stay off the pron sites, don’t click on things you don’t recognise no matter how convincing it looks. By a country mile, the single biggest security hole in Windows these days is people.