I believe that for the common user, a firewall is necessary, as they don't know how to close ports or do other things to stop services. Since theres tons of things running on a default M$ install this leaves them vulnerable and open to an attack.

I consider myself more of a advanced user of M$, yet I do run a firewall. I do keep all unecessary services turned off, but still find that having a firewall is a good thing.