And you can't be on the internet without having anti virus software.
I've been on the net one way or another since the early nineties, never run a firewall on my computer, never run background antivirus software and never had a problem.
1. Use a dedicated firewall - either a gateway server or on your ADSL box.
2. Don't download except from trusted sources -- preferably where you can read the source and compile it yourself.
3. Run any virus checker as a one off against downloads (Firefox seems to insist on doing this... till then I never bothered due to 2).
4. Know what all the processes (not applications) running on your PC are; as I type, I have 32 processes running in task manager.
Nothing can break into your PC without you providing a way in. I won't run background software that I don't trust and I simply don't trust any company selling software on the basis that "there are dark forces out there trying to invade your PC" -- it's more bunkum. Just don't download from untrusted sources.
The most important thing is to provide a firewall the acts like you're not there. Last time I checked, the Windows firewall rejected packets back to the sender, indicating you exist. A proper firewall just drops them, wasting the sender time and appearing just like any other invalid address. Then don't open incoming ports on the firewall -- mostly you won't need any - responses to requests you make outbound don't need any.
(Also, using a good ad blocker in your browser can stop exploits and, if you're not running your browser it doesn't take up CPU. And don't randomly accept cookies, either -- again, you're potentially telling who-knows-who that your IP address is valid; but ideally the ad blocker would be catching these up front.)