I have always considered a/v useless to the technical competant (ie. they avoid infection by knowing how to avoid it) and only partially adequate for the rest.
Everytime someone on the net reports they got infected, I always used to ask them how, as I am very curious, but they never reply.
This suggests they too embarrassed to reply (downloaded some fake warez or something) or its a made up story I guess to trash the a/v vendor since their post is to complain they got infected.
The only time I have had my a/v popup in over 10 years is rarely for some email attachments and I think i can remember 1 or 2 webpages.
The bestest way for protection is likely a combination of using a restricted user account (not admin under UAC a proper restricted account) and SRP (software restriction policy). The idea been the only dirs that can run programs are all non writable, so a payload if was able to download to the system eg. via a exploited web page in browser run would fail to run no the system due to lack of local permissions. SRP can be used to restrict execution paths and a restricted user account will have very limited places it can write to. That combo is extremely powerful and tough to break better than any a/v.
Other OS's like linux use limited accounts by default, root is used for maintenance not for every day usage. Microsoft I thought were introduing UAC as a stop gap in vista and had a plan to eventually migrate to restricted accounts but it now looks like they either abandoned the idea or were never planning to go all the way.
a/v vendors know that a blacklist system will always be behind the curve as it relies on discoveries and fixes to be rolled out, thats why they keep trying to make systems that can detect viruses without signatures.
Some things to look into also are microsoft's EMET tool and looking into using opt out for DEP combined with a custom dll someone made. Thread here.
http://www.wilderssecurity.com/showthread.php?t=347514