For kids' computers, consider using a third-party DNS service such as OpenDNS. Once you're registered, it's easy to tell it which categories to block. As pure DNS, it's fast, too.

umm, you are aware that "Stealth Mode" on most routers only disables ICMP replies? It's not a panacea.

I would concur with this too. It's saved a lot of my customers when their ISP's DNS servers died on them too. FWIW it's pretty inexcusable to have an ISP's DNS service die on you, but a lot of ISPs haven't got a clue how to architect robust DNS anyway (evidenced by the number of DNS servers on the same c-class subnet IP, for instance)

Sorry, I should have said "stealth mode NAT router" - it's the NAT that gives you most of the protection.

Yes I do know about ICMP, I mostly do comms software for a living. What the stealth mode might give you is that a port scanner might give up, due to lack of replies due to stealth mode, before it hits something it could use. Of course if you have no open ports through your NAT box there'll be nothing it could use anyway ...

The setup looks ok, but with a (possible) oversight: that of normally safe and kosher website that have been hacked and an exploit (usually in the form of an I frame) hidden in them. Since the web content has been invited, this will include the exploit. I've been seeing a lot of this in the security forums I visit. You can keep your own 'pooters patched, but you can't be responsible for the hosting software of all websites visited. Some of these are (apparently) easy to hack...I wouldn't know, but it happens, lots.

Most exploits run by virtue of vulnerable (unpatched or faulty) software, so keeping yours patched certainly minimizes the risk. Do you keep all the software that often comes with Windows (or is installed later) equally patched? Such as Adobe, Java, Macromedia etc?

(for a bit of a check, have a look at Secunia.com and maybe have each computer scanned by the OSI (online scanner) or the PSI (application for vulnerability monitoring.)

It definitely would not hurt to install a demand scanner and just check everything is good, say, once a week (or less), just to be sure. (It probably is. ) MalwareBytesAntiMalware is one of the better ones, these days.

A Bulgarian IT friend says McAfee is the first software that virus writers use to test their viruses. Viruses are one national export there. A French IT friend confirms.

I have Avast Free. It works well. Have never needed the paid upgrades. AVG from Lavasoft has a good reputation and so does Kaspersky. Avast seems to use fewer system resources.

Windows Defender has been a good firewall. ZoneAlarm Free worked well when I used it.

I run SpyBot to inoculate once a month.

So far so good.

If most of my translation clients did not use Microsoft Office, I would have switched to Linux and OpenOffice ages ago. Now I'm on Vista (a pompous resource hog makes me feel Al Qaida is hacking my system every time I try to connect to my ISP or run Avast but performance is not that bad) and seemed sentenced to Windows7 when my ThinkPad X61 reincarnates into something else next year.

Where do I start.....so much mis-information, so little time.

1) I would discount what a Bulgarian IT friend says. Unless you have a sample size of more than 30 Bulgarian IT friends your information is statistically (and probably racially!) flawed.
2) AVAST (and AVG) don't limit their functionality by number/types of viruses detected - to do so would be corporate suicide in their market.
3) Lavasoft doesn't make AVG. AVG makes AVG (used to be a Czech company called Grisoft, who have renamed themselves).
4) System resources used has as much to do with the modules within a package as the package themselves. For instance, whilst I recommend AVG (well I would, i'm an AVG licensed reseller), I wouldn't recommend you install their AVG Toolbar or AVG Active Surf Shield.
5) Windows Defender isn't a firewall.
6) Windows 7 is to Vista as chalk is to cheese

Well, some of it. The trouble with Java is that it's so flaky that you tend to need to have a particular version installed for each application, as the applications are written to the particular bugs in a particular version of the JRE, so it's not realistic to simply run only the latest patched version.

It is a bit flaky, yeah.
It's own updater doesn't seem too reliable, either, and past versions would not delete older versions installed prior, so they could sit there, being vulnerable, and (unless you were a bit techy) you wouldn't know.

The Secunia application, although not perfect/the silver bullet, does a very good job of warning of vulnerabilities in most 3rd party software, Java included.