Yeah, yeah, yeah, the old 'I've been doing this for 30 years so you should bow down before me. Big deal, a lot of people have one years experience thirty times. Been to Hamburg yet? That is code for a cred check, smile off.
I don't want to belittle you, only ask you to recognize that your experience does not necessarily square with the experience of many other people around the world. The mime that a bare Windows machine will be infected with viruses when connected to the internet is the mime of those who sell anti-virus programs. More people have had computer problems caused by anti-virus programs than ever had viruses. I know that statement is an anathema to big iron folks but it is non-the-less true. I don't know why people think that a hugely profitable company produces crap, or that a multi-Billionaire can't run a ten man cabinet, but there it is. Imagine my amazement.
I have not experimented with firewalls for at least 10 years, but I suspect it might help to stop the MS crapware and spyware. The problem however is the arms race between the firewall and other OS components and apps to get low in the network stack. I would recommend turning off networking but that defeats the purpose of having a computer. But NAT routing should provide most people protection from incoming connection attacks and safe browsing will protect them on their outgoing connections provided they can turn off auto-update.
The only changes to the security of Microsoft Operating Systems in the last thirty years have been dramatic improvements in obfuscation and non-attribution for those who hack them.
The reason Diogenes is still out there with his lamp looking for an honest man, is that his probability of success in that quest is much greater than the probability of him finding an uninfected Windows machine on a network.
There are two kinds of Windows users:
The first are individuals who use Windows and KNOW their devices and networks are thoroughly compromised and infected.
The second are individuals who use Windows and haven’t got a clue.
If you are faced with a non-negotiable operational requirement to use Windows, ensure you obtain your hardware from one of the very few approved product list sources, pop the hood and harden the BIOS, run Windows in a Virtual Environment hosted in Linux or Unix, and invest in a comprehensive set of security tools that let you see what is going on in the entire device, especially those areas that are not mapped by the Windows Operating System.
If you want to use encryption, know what you are doing, and have the ability to discern which products really work, encrypt the entire Virtual Environment. Encryption within Windows, like passwords, is a speed bump at best to any mildly competent hacker.