If you are sitting behind a hardware firewall in a modem/router and have the Windows firewall enabled, you shouldn't really need an additional software firewall. These are aimed mainly at people using USB modems.
You can check whether your ports are visible to potential threats, and there are some reputable websites for doing this. Please can someone provide a link to one because I forget!
As for viruses, AVG (and others) offer both free and non-free options, depending on whether it's for personal use and what level of control you want - e.g. when and how often it checks for updates.
Spyware is a rather different issue. Most spyware doesn't compromise your machine but is in the form of cookies which record your browsing habits. You can hardly go anywhere without getting a cookie from googleadservices.com or googleanalytics, and there are plenty of others like com.com, quantserve.com,etc. You can block these with noscript (in Firefox) if you like, but they're an intrusion rather than harmful. Anti-spyware software can block these or remove them, but sometimes it gets confused between good cookies which preserve your defaults on a website (theme, password, etc) and bad ones which are like Big Brother.
Probably the worst malware are rootkits which take over the administrative/root control of your PC. If you get one of these there is little option but to reformat and start again. Some of the cleverest or most evil rootkits (and some viruses) can disable AV software so they are not visible, and the only way to check is by booting from a CD/DVD with detection software.
It's really a complete PITA and the best policy is probably to stick to trusted websites and not click on anything you're at all unsure of. The criminals and hackers are getting ever more devious.
