What Chrys was saying very much matches my experience, and now I’ve been dragged back into ancient history, to the times when I was still well. :-)
About 18-20 years ago, one of my neighbours got infected within around 5 mins after connecting a Win XP (not SP2) box to the internet with default settings. (Time-till-infection inferred from a later simple experiment iirc.) They took the box back to the shop and had Windows XP reinstalled on it and somehow had some random antivirus software installed with it. This time they did much better, it lasted about 30 days before becoming infected. In distress they came to me wanting a freebie as they were far too cheap to want to pay my normal consultancy rates so I refused to get involved as there would be no payment for my work and they probably wouldn’t follow my draconian future security restrictions needed to keep the machine healthy and well secured. I did agree to look at the box briefly though, told them they were correct as it was indeed crawling with nasties. The first things that the malware had done were to destroy the AV software and turn off the software firewall. The latter being an interesting point, seeing as software firewalls can simply be turned off by malware there’s little point having them. I told them that every infected machine I had ever gone to had (once) had antivirus software running on it, well let’s say the AV s/w was "supposedly installed" and that the mfr or user had installed and not removed it. There was the usual sorrowful whimper of "but I had antivirus, and a firewall". One could indeed have some sympathy with home and business users in such a situation. But after confirming the diagnosis I went and left it well alone, since, as I said earlier, the users were not up for paying for professional security consulting services. I did add these two experiences to the time until infection stats records that I was keeping though.
God, Win XP (pre SP3) was a dog’s breakfast, and when it came out I was immediately horrified as I couldn’t believe the cynical attitude of Microsoft, who were releasing XP, the first truly home user Win NT family product, with the default privilege level being that of administrator not that of a standard user. It’s was a disaster compared with NT 4.0 in this respect (and was that also true [?] for the fine NT 5.0 aka Win2k ? - can’t remember). And there was also MS’s couldn’t care less attitude of not forcing developers to make all apps run fine without enhanced (ie administrator) privileges. They of course knew that the result would be chaos and disaster for the users (and for MS themselves too if they had any wit at all). MS should have had an app certification program, like Apple does now with the app store and which some serious o/s vendors such as DEC did when you paid a lot of money for some software and it would be "certified"/"approved" or whatever so you know that such software would work and not wreck the o/s.
I never ever bothered with software firewalls in Windows; always removed them immediately as one less thing to have to debug. And it goes without saying that I always clean-installed Win NT-family o/s’s straight from genuine MS media so no third-party antivirus in sight.
Mind you, perhaps the value, if any, that software firewalls have where they are fully deeply integrated into the o/s and well-secured as an o/s core feature is as a more or less sophisticated system of ACLs, which should have capabilities of process-awareness (pid-awareness) and application-awareness, or a friendlier abstraction of both of the two, that can be quoted in firewall rules. This is something that is hard to integrate into hardware firewalls. Perhaps a very very powerful and extremely friendly capability could come from exporting o/s-concept-level annotations into a hardware firewall. An o/s sends a set of "labels" to a firewall or router and these labels allows the device to display flows / sessions with meaningful language, so that source ports and of course source addresses are mapped to pids and to app names and IP addresses are of course mapped to names of boxes. (I like the 20-bit flow label thing in IPv6, shame what has happened with it, btw.) IPv6 horrible addresses really need translating into english and expanding fully now more than ever. Perhaps once again there might be scope for remote control of hw firewalls so that an o/s with its per-app and per-process type ACLs could send those up to a gate wall firewall and pre-translate the ACLs into per-src-port etc language that is easy for a firewall to understand. Alternatively sending up rules in a "OS-type / ACL format" would mean that the o/s wouldn’t have to understand everything about the details of firewalls’ differing native rule formats, giving some abstraction. Mind you, not sure if that’s entirely a good or safe thing, as we want things to fail if the firewall’s capabilities don’t match what we’re trying to get.
Apologies to XGS, Chrys et al for wandering off into my former designer life 25 yrs ago, but with things now surely made extremely foggy and annoyingly vague and half-baked.