Plain old AVG seems adequate. The various ratings sites say it isn't that effective, but it seems to work for an awful lot of people. Avast and CLAM AV are good free options, as well.
http://free.grisoft.com/
http://www.avast.com/
http://www.clamav.net/
The built-in XP firewall is sure better than
nothing 
but it is rather limited. I use Ghostwall because it's very small and lightweight, but does give some extra functionality over the default XP firewall.
http://www.ghostsecurity.com/ghostwall/