Windows firewall is perfectly adequate, in XP SP3 and above.
A different software firewall, such as ZoneAlarm, will give you control over outbound applications connecting to the net. Where the security element enters the equation, is that if a new app (loaded by something malicious) gets into the 'pooter and decides to phone home, as it were, the outbound control represents a chance to prevent that.

Before that happens, nasty new software has to have got past your own common sense and your antivirus, plus any browser safeguards that may be present or added.

In my experience, a poorly configured firewall - even an applications-based one (as opposed to a rules-based one, which needs reasonable expertise) is likely to be less secure than the Windows one out-of-the-box.

I would suggest turning the DEP control on, in the Windows firewall. Stands for data execution prevention, IIRC. I think it may be on by default.