i do not use xp because i prefer to stay on the wayback edge of microsoft technology; resolutions for nearly all of win98's problems were finally available by mid 2004 .  what little i know of xp was acquired helping friends to rid their systems of a variety of hijackers, spyware, spamware, adware and lsass related crap.  since ive never used nt or win2k, i wasnt familiar with xp's typical startups or running processes so i had to work my way thru them pretty much one atta time.

i was a bit more familiar with the windows firewall (having run across other online users who were unfamiliar with port configuration) and not terribly impressed with it.

the last time i did the xp cleanup thing, i used several applications to do a lot of the work (pestpatrol, hijackthis, etc), but it wasnt til i installed sygate personal firewall that i was finally able to locate, neutralize and get rid of a buncha particularly persistent parasites.  i dont know what inspired me to consider using a software firewall as a diagnostic tool but im glad i didnt discard the idea out of hand.

" resolutions for nearly all of win98's problems were finally available by mid 2004"

I would say this is not really the most accurate statement. Most of the time older systems are more exploitable as new patches are not developed for them or at least not as aggressively. Windows XP has many more security related features to allow you to lock down the operating system. You may see a lot of security patches and for Windows XP and nothing really related to Windows 9x. The reason for this is because Microsoft is actively fixing Windows XP and is not as concerned about Windows 9x (I forget if 9x is still officially even supported).

A software firewall by nature will not generally provide any insight to any possible problems you have on your machines, generally what your refering to is the intrusion detection system part of the firewall which really is a seperate entity. A lot of the software firewalls include IDS these days. Only a handfull of the hardware solutions have IDS built in, generally you have to tap the network for proper IDS configuration. IDS solutions can give you a wealth of information and are very good tools for finding existing malware.

Pest Patrol is a great product (although it's interface and update ability is very out of date) but I am unsure of its future as they were aquired by Computer Associates. Since Pest Patrol does not automatically update and the memory check tool only captures a very small potion of the possible malware products, and the corporate edition is very clumbsy to work with; we decided to use other products. The problem is most antivirus products have a big gap from the virus protection and the spyware/trojan protection

win9x isnt officially supported altho ms released a free cd containing all the existing patches and fixes.  i wasnt so much referring to security so much as i was the wealth of incompatibilities and anomalies that make each new new version a work in progress.  if nothing else, although i was hammered daily (like everyone else with a cable connection) by the army of 2k/xp systems that had been turned into zombie bots by sasser worms and their variants, hopefully and continuously portscanning the range in search of new victims, i wasnt vulnerable to anything but annoyance.  still i take your point. 

actually what helped me locate the malware on the system i described was sygate's reluctance to permit outbound connections without asking permission the first time (after installation) an application attempts to automatically connect to a remote server.  i temporarily blocked every attempt and from there it was a matter of going thru the log.

im not a big fan of pest patrol necessarily (for the reasons you mentioned) but it did help to quickly (fairly quickly) remove the first 800 or so objects--cookies, favorites, etc--that had invited themselves in.

I am a very strong proponent of Hardware firewalls, and use them exclusively. I do not use the XP firewall, since I find them generally to be a pain. I know the limitation of a hardware firewall (i.e., if you bring a bug inside, it will not protect you), and so I run Norton and keep it up to date. Many pundits in the arena advocate running both, but I find that the false alarms from the software firewall (Zone Alarm mainly until the XP ICF) caused me tons of headaches with my customers, without really finding any additional attacks.

For Dial up users, I guess there is no other choice, but for Always on, I recommend the hardware, and not the software. And a very strong AV product. I see where you are not panning the software one, just saying it is insufficient. DO you advocate both? Or is a HW one with a strong AV product sufficient enough for you?

A hardware firewall isn't always necessary. Small locations with relatively low bandwidth (incoming and outgoing) requirements can easily get by with a middle of the road solution: a dedicated firewall server. In this case I'd pick a modest machine with OpenBSD (or FreeBSD for those who just can't bear to sacrifice any performance and have the time to tweak).

Workstations with direct access to the Internet are always a problem -- if I had a large time or capital budget, I'd either use UML (User Mode Linux) or FreeBSD to jail the users and their processes, or, for Windows users, I'd pick either of the previous OS's and run Windows within a heavily protected VMWare session.

All of these solutions are for smallish shops that can pay the labour costs, of course. Otherwise, look for your best stateful firewall with IDS within your budget.

"i wasnt so much referring to security so much as i was the wealth of incompatibilities and anomalies that make each new new version a work in progress."

More things have compatibility problems with Windows 9x than they do with Windows XP. Windows XP is actually many times more stable than Windows 9x.

Easy way for this not to matter. Don't open attachments like "runme.exe" Easy.

These things can only really infect your PC or cause problems if you don't monitor whats happening on your own system... same for any OS.

It sounds like a good plan, but remember there is exploits that work through JPG's these days, trojans can be installed just by surfing the web although it is true 90% of all virus activity is done through email, trusted sites can harbor viruses and trojans if they are compromised. There is even tricks used to make the attachments look like word documents or text files. Known viruses can be repackaged and even hex edited to slip by even the best virus protection.

And above all, a firewall does not act as a anti-virus solution so really it has nothing to do with attachments or infections. A firewall protects you against hackers using exploits with services you run to compromise the security of your box and it also provides a logging facility to log all activity.

I find that Sygate Personal Firewall does a good job for me coupled with AVG and Norton Anti-virus. II keep Norton running at all times, and do additional scans using AVG as it can sometimes catch something Norton missed (which isn't often).

This setup works for me as I use a WiFi card to access the net and during Xp boot-up the firewall is activated before the WiFi card connects. SO far I haven't had any problems with this.

Now if I can only get the WiFi card properly configured under Linux, I'll be all set. grrrrrrrrrrr

Norton and AVG are not among the best anti-virus products on the market. Both have a lot of problems catching trojans and repackaged viruses. And they also have amazingly slow updates taking almost 30 hours to respond to the latest threats.

I always disable the XP SP2 firewall and rely on a hardware solution. You just know that anything Microsoft make will be hacked/cracked and open within weeks of it being released.
But, if there is nothing else availalbe then its better than nothing.

9x support has been extended to something like 2006/7.

Just because phone support has been extended does not mean there will be latest and greatest security patches.

So do the WB screenshots I see that have the little sp2 shield in the taskbar mean that their firewall is off??

I used to run AVG for almost a year, until I bought System Mechanic pro5, coming with Kaspersky AV.
Ha! it found 13 viruses/trojans...
Need more?
Som'ing else now, don't compare windows 9x with XP, they don't stand any chance.
I've installed SP2 45 days ago and since then I almost forgot it's in!
Works perfect, IE is much faster and faster than firefox, sorry!
As for attacks? I only got 2 trojans, immediately scanned by Kaspersky and deleted
Consider that very good since I'm on the net almost 16 hours every day!
Keep it up!