I wouldn't run a Windows machine without MSE and EMET. While I'm not likely to catch an infection because of the way my browser is set up, I can't see any good reason not
to add a bit of extra protection - yes, there's a (in the normal case minimal, IMHO) performance penalty, but it's worth it.
: FireFox without Java, Flash or AdobePDF plugins, with AdBlockPlus + NoScript + Ghostery + Certificate Patrol addons... also, all DNS requests go through DnsCrypt so I'm not getting MITM'ed there either (not a big chance of that happening at home on a wired connection, but still).
I wish there were an equivalent of chroot jail on Windows, but there's not
Chroot isn't all what it's cranked up to be - if there's a local privilege exploit (which you'd also need on Windows to go from LUA->Admin), you're dead anyway. Yeah, it's an extra piece of mitigation and that's always useful, but it's definitely not a catchall.
Does anyone have any experience with Sandboxie or something similar? Sounds right, but not sure how well it works.
Hummm, I'd personally go for a full VM - a bit more bother, but also more thorough isolation from the host. Sandboxie would be fine for testing out non-malicious software without having to clean up your system afterwards, but I wouldn't trust anything but a fullblown VM when security is involved.