I have just finished listening to the back-episodes of Security Now! # 38, where Steve Gibson describes his approach to securely browsing Web without antivirus and with Internet Explorer. The idea in a nutshell is - use properly locked down IE zones. Steve has modified the security settings of the default (Internet zone) to maximum: not allowing any scripting, cookies etc. Which makes many sites unusable, of course because increasing number of browsers does require Javascript enabled - or else game is over.

For the sites that do need the scripting, Steve recommends adding them to list of trusted site EXPLICITLY, one by one, site by site. This way, only the sites you use and are interested in will get any chance of running code within you browser.

This is very good idea, but has two weak points. First is that it is Internet Explorer and Windows only technique. True enough - combination of Windows users with IE defines the most virus/malware sensitive group of the Net population, but many exploits are impacting Firefox users as well and in Firefox, the zone technique does not work. The second problem is that your list of trusted sites is machine specific. If you are using multiple computers, you will have repeat the process of granting trust to your sites on each of them. I am afraid that few users will have the stamina of doing it ... Even with single computer, it requires patience of a saint.

As many times before: when there is a trade-off between security and convenience, guess what will win ?