2) Run as a "normal" user account--not an admin.
3) Disable all auto-opening of so-called "safe" files.
4) Disable Java browser plugin entirely.
5) Configure browser to not load Flash or other plugin content unless I click to authorize it. Might require an extension like ClickToFlash in some browsers.
6) Be cautious. Stay away from sketchy sites and don't open emails and/or attachments that seem random, unexpected, or suspicious.
I've been using the free version of Sophos (http://www.sophos.com/en-us/products/free-tools/sophos-antiv...) on my MacBook for a year or two now, and haven't seen any problems yet. I'm not sure if that means it works, or if I just haven't caught anything yet.
1) You account is regular user, not one with elevated permissions
2) Keep system up to date
3) Use the most secure browser for the platform
4) Don't use Java or Flash on such browser (or plugins/extensions, as a matter of fact)
5) Know what you visit and use common sense
Never had a virus/spyware on Linux, OS X or Windows.
- Not keeping your OS and the software you use up to date
- Open/run files that you are not fully aware of where it came from or from an idiot/spammy person
With this strategy I never got any virus at all... Not even in Windows XP!