You didn't mention antivirus.
Sure--no protections are perfect. The best firewall is an airgap between
the Internet connection and the hardware it needs to connect to.
You can add lots of protective software to your machine, but if you happen
to go to the website that is offering up a zero-day exploit of your web
browser of choice, and it downloads something never before seen by antivirus
vendors, and sufficiently clever, you might never see an alert--especially
if you never do full scans of your machine.
Microsoft Antispyware is a big help--in the hypothetical case I cite above,
it should alarm on the install of whatever the web site pushes onto your
system. However, you still have the option of allowing that install--for
example, the web site says "Press here to receive the latest and the
greatest absolutely free...." and you press here and then get an alarm that
"admission ticket for latest and greates absolutely free" is being
installed. Do you say yes? Well--maybe...
Most spyware comes from the user clicking in places and on items that they
never should have. Some of it exploits vulnerabilities, as viruses do, but
much of it is pretty mundane.
And if you click on it, and it isn't in the definitions yet, and you
misinterpret any flags raised--you're infected.
