Interesting you say that - I once had a conversation with another tech, a guy who did programming and had a career with a company that specialized in security software for Windows, an older guy who really knew computers and was into such stuff for years, he talked about testing a theory that if you have a PC running Windows, and if you really knew your system and what was and wasn't running on it at all times, shutting down the right unnecessary services and such, you could theoretically connect the machine directly to a broad-band/high-speed internet connection without any firewall of any kind, not from the ISP, the NIC/modem, not a router, not even the Windows built-in firewall, and have the machine run just fine without problems.
I've never tested this idea myself, but here in the U.S. of A. security software is very necessary, and without it they have some statistic out there about an "average life expectancy" of a freshly installed copy of XP with nothing installed connected directly to the internet, which used to be around ~20 minutes before it got worse. After that time had passed, the machine would not function anymore because it would be hacked-up so badly.
BTW, some of the free security apps are rated to work better than many of the commercial ones you pay for these days - My personal favorite is Comodo suite combined with other stuff, but there are other choices out there. I'd also recommend googling "turning off unnecessary services in Windows XP" for a list that will make it more secure and speed things up.