this is what i do for my home / soho / sme customers
these guys are too small for domains,
1)so set users as, you know, standard user accounts. (every single user on every machine i ever see is an admin). simply doing this decreases the attack surface of an out of the box windows machine massively.
2) set up an admin account on the machine with a password. write the password on the pc on a label so they dont forget if they look like they are particulalrly dim. educate them aboujt what to do when the enter admin password box pops up. so if it pops up for no apparant reason, read the box. look at what is trying to install. if any doubt, say no.
3) install cryptoprevent. this sets up group policies to prevent lots of nasties from launching. it does have issues with some legit progrmas, notably spotify, due to the way they run their installer.
4) install chrome with adblock plus.
5) install trend WFBS
6) get rid of flash and java
i have nearly 700 customer machines set up like this, with very few problems, usually down to the nature of the sites that they are looking at and then ignoring my advice in point 2)