[T]he very first thing I'd do is setup yourself as a "restricted user" or "regular user", depending on the version of Windows. Then log as administrator, make sure it works. Note the password, make it hard to crack. If admin user does not show up on your main login screen, hit Alt+Ctrl+Del twice.
Use the restricted user (with a different password) to log in on a daily basis for your regular work. If you want access to a program that the administrator can run but not the restricted user, then switch over to admin user login, make the necessary approvals (either file level or folder level) via properties, permissions page. Then switch back to regular user and see if the program works. For instance, Word needs a new font, install it as admin user, and then it is automatically available to the regular user.
Same thing with shares, folders, programs, and so on. I would restrict the regular user to be able to write to only place: documents and settings/users/username folder only. All others are off limits.
Never logon to unknown websites as admin user. Always use regular user. If something does not run, such as flash or video, install the plugin as admin user, then go back and run it as regular user. Use this method for all your needs, including installing updates, fixes, patches, etc. Admin user does all these tasks. Regular user just uses them; never installs. If you are paranoid, just setup a different regular user for just banking and other online activities that you never want anyone to stumble upon.
By the way, Windows 7 automatically implements this security model. Any Unix admin will tell you that this is the first step they take.
Then you can branch out to other things like firewall and port security. Turn off all ports for regular user (in firewall settings for XP). Just keep 81 open. Then open each port as needed by an application. Windows 7 has simplified this step vastly. XP and Vista require some clicking around.
I normally switch between regular user and admin user accounts, depending on what I'm doing. I'm logged in as both all the time. If you have to run an app as admin user without logging out as regular user, you may be able to right-click on the icon and select RunAs option. This will open a userid/password window. Enter admin user/pwd pair and off you go. But this is just for occasional use of some pesky software that requires admin rights. Otherwise, I normally avoid any software that cannot run as a regular user. This is the minimum requirement for all software on Windows 7, but not on XP or Vista. In any case, always backup using admin user so you can get all the files.
Once you get comfortable working in this fashion, disable and enable apps for the regular user to suit your style. Then branch out to Services menu in Control Panel and turn off all features you don't use. I'm sure there are about a dozen or more every computer can turn off. One laptop I setup like this in 2003 is still running without ever being infected. It still has only 384MB of RAM and runs all the latest MS Office 2003 and iTunes, and also has wireless networking turned on all the time.
There are lots of web sites that give you more ways to minimize intrusions. But this is the general idea.
Hope this helps clear some of the fog.
