I can't remember the last time I received a false positive, although the only time I ever get warnings is when I mistype a URL and end up and something like yuotube.com. That case only presents an issue when running IE anyway, which I only need it for certain sites. Usually run FF w/ adblock and noscript, so when just browsing the web, it will always be with FF.
If you aren't downloading a lot of random apps, and run a secure browser, antivirus software probably won't get much use, but it's always nice to have when you make a mistake on the web (site or app), or insert a USB disk that has something nasty waiting for you on it.
Be aware that FF is missing some security tech these days. Chrome and IE9 both operate at a Low integrity level and feature their own flavors of sandboxing.
FF has neither mitigation, which is rather odd since they've always claimed to provide security benefits. But if you like FF, you can use Sandboxie to sandbox it, and it's also possible to force it into Low-integrity operation (although this reportedly must be redone after every update).
If you like to control what sites can run scripts, NoScript works on FF, but IE has had that capability since IE5 back in 1999. They just don't have a catchy name for it Succintly: set the Trusted Sites to Medium-High security and add the desired sites to it, then set the Internet zone to HIGH or just cherry-pick what you don't want to run (Scripts, Java, ActiveX). Done.
Regarding the main topic, if you want a very powerful blanket defense that covers many popular angles of attack, then I suggest
Software Restriction Policy if your Windows version supports it (Win7 Pro/Ultimate/Enterprise, Vista Business/Ultimate, WinXP Pro/MCE). Once you understand how it works, it's pretty easy to live with. Not much impact on performance, either.
If you can't use SRP, next best is the poorly-named Parental Controls on Vista or 7: enable program control, whitelist all the existing apps on the system, and then any new stuff will get blocked, including exploit payloads.
With either of these, make sure UAC is enabled and that your user account is a Standard User (create a separate Admin account just for Admin roles). If you're the only user, a password on the Admin account is not really necessary, making management easier.