While Antivirus and a well setup firewall can help, I've found as a sysadmin that there are additional layers that need to be applied. We also use Content Filters to block out any unwanted malicious sites, porn and other sites we need to block. While I use Websense at work as an in-line filter, I setup Opendns at home and on home user's computers to cut most malicious websites off at the knees.
We also employ an off-site email scanning service to scan our emails before they hit our internal email server. Once email hits the server, then it gets scanned again. All computers have are locked down and we utilize LANDesk for Malware and Patch Updates / Security Vulnerability scanning. Of course, Altiris works well too as well as MS System Center.
Having a layered approach tends to mitigate most problems. Some do get through, but the computer immediately gets re-imaged. All User Files are stored on a central server. The computers themselves are as 'dumb' as I can make them and thus, easy to fix.
Of course, you can't avoid everything. However, many solutions exist and are very low cost to implement if needed. A decent home stack would be:
Anti-Virus (Sophos, Kaspersky, yada, yada)
Malware Detection (Adaware, Spybot, etc.)
Content-Filter (aka opendns or k9 webprotection)
Backup (aka mozy or carbonite)
Online Email (aka gmail, yahoo, etc.)
Baseline Image (...)
Ad-block, Flashblock and Firefox... Sorry Slashdot...
There are many choices available. Many of them work very well. While this won't mitigate all attacks, it will minimize them quite a bit. As long as folks don't intentionally break them... :)
Hope this helps.