Richard - I agree. It's not great for those of us called in to clean up either.

ORAC - that's the same setup I use and recommend too. Ideal for the home user

A hardware firewall set to block all unsolicited requests inbound is ideal, but it's a real pain to set it up to block all unrequired outbound requests (malware dialing home, for example) while allowing things you need - ZoneAlarm is so much easier for that. You know that already, of course

It is worth noting though that, although they are rare, there have been attacks which exploit flaws in the network code of the firewalls themselves. It's not just Windows that suffers from bad programming. Hardware firewalls are typically much more robust than software though, because there's much less you can do once you've got code to execute.

If you're ever feeling like a bit of a geek, setup the hardware firewall to route all unsolicited inbound packets to a Linux box in the DMZ - your own mini network telescope.