I just visited a friend yesteday night. Among other things I helped him to clean up his computer from spyware. And, on the spot I came up with a simple solution to ensure that it won't get infected anymore. Beyond the standard provisions (antivirus, etc) you also need two separate accounts - one non-adminstrative account for internet browsing/email reading/etc, and an administrative one that must not be used to browse the internet.

Things that you must have:
1) Make sure that you have Windows XP SP2 on your computer. Make sure that your Windows Update is configured to automatically check and install patches. Choose a certain hour at night for this job (by default - 3.00 AM). Make sure that all your patches are applied.
2) Buy a good antivirus product. Make sure that it periodically scans the system at night. Don't go with the free stuff.
3) The Windows Firewall must be turned on by default (unless you need it off for a very good reason). A hardware firewall would be nice to have.

Things that are nice to have (not 100% necessary, but good to get additional protection):
4) Don't use your administrative account for internet browsing, except for manual Windows & Office Patch installation. Make sure that this account is logged-on all the time, so background night tasks like virus scanning, patches, etc are running.
5) Also, in this Administrator account, make sure that the Security settings are set to High for the Internet zone in this account - just open IE and double-click the bottom-left icon or text. So, even if you use IE for browsing, you will still be safe for most problems.
6) Create a separate, non-administrative account. Use only this account for Internet browsing. Assuming that you have Windows XP Home edition it is very easy to switch between these two accounts.
7) Install one or several AntiSpyware programs. I would recommend Microsoft AntiSpyware beta 1 (which does the check every night at 2.00 AM), but others are good too - for example AdAware or Spybot Search & Destroy.