To me it all boils down to one thing - if you use MS's firewall you have to say you TRUST MS to secure your machine without any holes/exploits.
As we all know, the MS firewall can be controlled pragmatically without the user knowing about it. The MS firewall also came with a hole right out of the box (which was patched).
When it comes to security I'm very, forgive the expression, anal, about it. For a home user I would always want at least a border device like a NAT router, then quality AV software, a non-IE browser and non-OE/Outlook email client, and then to lock the computer down as much as possible - including not letting the user run as Administrator under normal use of the system. I would also install AdAwareSE and WallWatcher - between these two products you get most of any new spyware and also get to see all inbound and outbound traffic so that you can determine if your network is still secure.
At the router I block outbound connections "to" remote ports 135 through
139 and 445 and several others, but those are the main ones.
An added measure, for people that run QuickBooks or other financial software, or keep their identity on the computer, would be to install something simple for them to manage, a personal firewall like ZoneAlarm. I would trust ZA over anything that MS produces, even their ISA server.
I have yet to have a compromised system using the above methods for home users.