I think its a very interresting topic, so I decided to start a new thread :
Whats your best strategy ?
I am very interrested to get your opinion
I built this strategy in my office and at home :

first wave :
Trendmicro´s gatelock 200x
costs : 149€
what you get :
linux based firewall in a box
webbased configuration
statefull inspection of web content
antivirus ( trendmicro :-) again )
IDS !!! Intrusion Detection System
broadband nesessarily

second wave:
software firewall
now to all others read this :
only conseal or visnetic firewall does a statefull insteption of the ip packets. tiny / zone/ kerio ect. are all application firewalls.
do not trust those firewall , those application firewalls can be easily outnocked...!
proof ?
1.well test your firewall against a firewal leak tests !( port80 !! )
2. tiny and kerio performing a unwanted update request ( even the update is switched off!! from your local port 1028 / 1029 to port 80. and the user does not recon that there is a connection to a chechoslavakia ipadress. in my opinion tiny and kerio itself performing a firewall breach !
How do I know ? On one of my machines there was the tiny firewall 2.x and the consel firewall installed. conseal blocked (!!) the request and I started to find out who the ip was.
I informed the chechoslovakia isp about this persisent connection . ( I thought it was a trojan named incommand , a webbased bugger)
guess ! one of the kerio firewall programmers emailed me and informed me that this persistent port request was no trojan , it is the update funktion from kerio/ tiny ( by the way I never installed kerio ! ). I looked into it, there was no update enabled in tiny .
so i deinstalled all tinys and installed visnetic and conseal !
a software whith phonehome feature is not nice. a firewall whith such a behavior is strange , isn´ it ?

again you can only see what happening in your system whith a packet filter firewall .
I was convinced that tiny would be great. forget it !
whats your strategy ?