The setup looks ok, but with a (possible) oversight: that of normally safe and kosher website that have been hacked and an exploit (usually in the form of an I frame) hidden in them. Since the web content has been invited, this will include the exploit. I've been seeing a lot of this in the security forums I visit. You can keep your own 'pooters patched, but you can't be responsible for the hosting software of all websites visited. Some of these are (apparently) easy to hack...I wouldn't know, but it happens, lots.

Most exploits run by virtue of vulnerable (unpatched or faulty) software, so keeping yours patched certainly minimizes the risk. Do you keep all the software that often comes with Windows (or is installed later) equally patched? Such as Adobe, Java, Macromedia etc?

(for a bit of a check, have a look at Secunia.com and maybe have each computer scanned by the OSI (online scanner) or the PSI (application for vulnerability monitoring.)

It definitely would not hurt to install a demand scanner and just check everything is good, say, once a week (or less), just to be sure. (It probably is. ) MalwareBytesAntiMalware is one of the better ones, these days.