jaclaz seems to be most realistic person here.
There isn't any 'security model' good by default. There isn't some attack surface constantly being decreased by new defending techs and tools.
All the balance is dynamic - and it would be greatest mistake to think that some solution is final.
Look: Chrome is supposed to be the safest browser - by design. But the latest Facebook malware epidemies were spread only by users with Chrome as the technic was to install malicious extension designed for this browser (and most of its clones).
Next point. Everyone say: "Update, update and one more time update!". Well, OK. Done.
Who can manage all the knowledge about fresh vulnerabilities - we, users (even advanced ones) or people from the dark side? You know answer.
They do. Not we.
Paradoxically, but newly updated system is more attractive and unrestricted field for villain than old good stable with known holes. New software, new modules, new functions mean new security holes. They learn and use them faster than we react and start defending.
That's why I say 98 nowadays is the safest OS from Windows That's why I say that need of updating is seriously overestimated.
That's why we can't rely on any even slightly outdated research saying that some tech or ware provides the best defence.
Provided. At the moment of release. Not now.
What I can recommend here? Not so much. Decrease attack surface by not using popular products, popular setup. Apply all the possible proactive defense to your current setup (it may be WinXP or Win 7SP1, but you really can stop racing this Updates Grand Prix). Well, the only real system-level tool that work are policies/Applocker or EMET.
But may be better do not install what you don't use. For XP I refused from .NET at all (except 1.1 that goes with SP3). After deinstallation I found that only 1 (!) application stopped working. And it was just wallpaper changer that I couls replace with a number of alternatives. But I decide to install back only .NET 2.0 needed.
Well, I've updated IE to the last version available (but never intend to use it for surfing) and refused from other popular browsers in favor of K-Meleon. I've changed Adobe Reader for Foxit. I use Skype through Trillian (voice only) or have video calls with ooVoo. Sylpheed instead of Outlook, Thunderbird etc.
The second point is content filtration - so I use adblockers along with web filters. DNS filtering is good but I use K9 Web Protection (and the second option could be web-filter from Forticlient).
Next I use AnVir Task Manager for advanced startup control.
Last but not least one is DrBrain antivirus ;-)
This doesn't mean I restrict myself in where to go and what to do.
My security concept - on the contrary - lets me work as admin, visit any sites , install software etc. It works. And lets me work too.
I'm the real owner of my PC. I don't need all these real-time AV-monsters, eating all the power and resources and producing conflicts.
But I spend some unused time of my CPU to regular checks with good AV-scaner and some other selected antimalware stuff.
No malware last number of years. For me and my family. (And they aren't PC expert-level users )