I'm an NT admin by trade and a linux hobbyist, i tend not to get involved in arguments over which is best, in my opinion they both have thier merits and faults, linux is free though...
If your interested in how people secure thier boxes, here's what i do:
firstly, as has been said before, don't run services you don't need, thats just common sense, i prefer though to have a tight gateway box and you can relax a bit on your other pc's here's a script i knocked up using the brilliant iptables from the 2.4.x kernel:

#Declare Constants
LOCALNET="192.168.0.1/24"
INT_IF="eth0"
INT_IP="192.168.0.1/32"
EXT_IF="eth1"
EXT_IP=""

LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/24"
# Switch on ip forwarding
echo Turning on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Flush all rules
echo Flushing rules
iptables -F
iptables -X

#Masquarade for local lan
echo Setting nat for $LOCALNET
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
iptables -A FORWARD -i $EXT_IF --source $LOCALNET -j ACCEPT
iptables -A FORWARD -m state --destination $LOCALNET --state ESTABLISHED -j ACCE
PT

#Create a new table for logging/dropping packets
iptables --new DROPME 2>/dev/null
iptables -A DROPME --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "
iptables -A DROPME --proto udp -j LOG --log-level info --log-prefix "UDP Drop "
#iptables -A DROPME --proto gre -j LOG --log-level info --log-prefix "GRE Drop "
iptables -A DROPME -f -j LOG --log-level emerg --log-prefix "Frag Drop "
iptables -A DROPME -j DROP

echo Building hack attempt rules
iptables --new HACKER 2>/dev/null
iptables -A HACKER --proto ALL -j LOG --log-level warn --log-prefix "Hacker Atte
mpt: "
iptables -A HACKER --j REJECT

#Deny MySQL
echo Denying mysql connections apart from $LOCALNET
iptables -A INPUT --protocol tcp --dport 3306 --source ! $LOCALNET -j HACKER

#Deny X Connections
echo Denying X Connections apart from $LOCAL_ADDRS
iptables -A INPUT --protocol tcp --dport 5900:6100 -i $EXT_IF -j HACKER
iptables -A INPUT --protocol tcp --dport 5900:6100 -i ! lo -j HACKER

#Deny Other Ports
echo Denying SMB from outside $LOCALNET
iptables -A INPUT --protocol tcp --dport 135:139 --source ! $LOCALNET -j HACKER
iptables -A INPUT --protocol tcp --dport 23 --source 0/0 -j HACKER
iptables -A INPUT --protocol tcp --dport 111 --source 0/0 -j DROP
echo Denying udp upto 1024
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j DROP
#Allow related connections back in
#iptables -A $EXTER_IF -m state -d $
iptables -L

Obviously this is something you couldn't do with windows, i'm curious to see what the built in firewall in XP is going to be like, if its anything like microsofts last foray into security (ISA) then i wouldn't trust it.