Obviously I don't know your brother, but I do know some computer security guys that do not use software firewalls. Through working with Windows Services and connectivity stuff "behind the scenes" they "harden" their defenses and control access down to the finest detail. They consider this to be secure, and perhaps it is. For those of us who don't have that level of knowledge, I think it's best to use appropriate security, as pepoluan so eloquently explained.
LOL. I am anal when it comes to security, having seen and experienced firsthand what could happen when security is breached.
Sooo, on any new non-domain Windows installation, "services.msc" is the first thing I fired up. Kill all unnecessary services. Then into "Local Security Policies". Then "gpedit.msc". I make sure to kill / disable / restrict dangerous things, e.g. autoplay.
Then, I install a firewall. Used to be ZoneAlarm, but guess what now
Then, I install an antivirus: Either AVG or Avast, depending on user's preference (I gravitate toward Avast, but it's a free world
). Lately I also install BitDefender 8 Free Edition in addition to AVG and Avast.
Finally, all things done, I rename the Administrator account (just to make it harder for people to 'stumble' upon it), make a fake Administrator account, and make personal user accounts (with necessary security rights).
Then I delegate all daily maintenance to the deputy admins
Edit: And one more thing: To ensure that the Windows is as updated as possible in the shortest time possible (i.e. 0 hour after installation), I
never install using the original Windows XP / Win2003 CD. I go to
RyanVM's site, download his update pack, and stream it into the installation CD using the RyanVM Integrator utility, in effect making an installation CD that has all security updates since SP2 was released.
Author