The version of Windows is an important consideration here. With windows 9x/ME, gaining complete control of the operating system is a bit more difficult because there are very few network services running on the system. Even so, it is still possible. Recent RPC exploits would allow an attacker to gain control over a system without using a trojan.

If Windows 2000/XP is your OS of choice then, yes it is very easy to get complete control of the system. It may be as simple as cracking a password to log into the telnet server with (if the telnet server is enabled of course). Password cracking can also be applied against Microsoft's terminal services. Once a password is found, it's as simple as making a Remote Desktop connection to the system. Besides this, attacking an unpatched windows server with a known exploit is trivial.

Lastly, an attacker may be creative enough to convince you (through an email or some other form of social engineering) to open your XP pro desktop for remote support, which also uses RDP (remote desktop protocol).

As for the integrated firewall, it must be enabled before any protection is afforded. If the firewall is enabled, then any exploits directed at network services on the system will be dropped. If an IE flaw is exploited, the attacker may be able to coax your system into downloading a backdoor (e.g. Netbus Pro), but the attacker still would not be able to connect to the backdoor due to the integrated firewall.

Hope that info is of some value.
_TOMDAQ