The standard Windows firewall (XP and onwards, anyway) is really all you need. The trouble with more sophisticated firewalls is that they really need the user to understand which processes are legit and which are not. In practice they're just a hassle for users (who get used to either permitting everything, or rejecting everything when it pesters them) and generally don't increase security by any significant amount.
AVG is definitely one of the best anti-virus programs; very little gets past it in real world use, and it doesn't interfere with the general running of the system (unlike the truly awful stuff from McAfee and Norton). Disclaimer - I'm an official AVG reseller
Having said that, I'd been recommending it for years before actually signing up to their reseller program.
You're most likely picking up most threats either browsing the web, or through peer to peer downloads. For the web side of things, Firefox with the "NoScript" extension is a pretty secure combination, though again it requires a reasonable degree of savvy on the part of the user to work effectively.
For p2p... well, there's probably not much you can do other than only download fully legit torrents of open source software etc. I don't know many people who only use p2p for that