Great post, MB-G26.
One fundamental that I didn't see here and to me is the most important:
Don't allow users to be an administrator. Create an admin account with a password and have all other accounts be non admins. My ex wife's laptop with Windows 7 and NO ANTIVIRUS SOFTWARE ran great without getting infected for almost 18 months. When she finally did get a malware infection, I was able to clean it by deleting her profile after backing up her files. A study I read stated that not running as an admin account will prevent about 80 percent of all malware. At my job, we simply delete the users profile when they get infected.