yeah, just by visiting an infected website, or opening an attachment, you can get a virus. A firewall isn't effective against those.
There are bad things that a firewall does block (worms and annoying windows messaging popups offering to sell you something to prevent windows messaging popups*) but you need up to date virus protection running on your PC.
Some of the most annoying crap out there are "ad-trojans". All that "free" software you download does a bunch of stuff you don't want, the least of which is slowing down your computer. Because you invite these in, actually install them, no firewall or anti-virus software will help (I think Norton and McAffee are starting to notice these though). There is help in the form of
"Ad-aware" and other software designed to detect and delete ad-trojans.
It's a jungle out there.
5 years ago I felt virus protection software was worse than the chance of catching a virus. Now I happily subscribe to it on any PC I use.
*you don't need a firewall to get rid of these, just disable the "windows messaging service". This is a gimmick MS threw in to give lan administrators a way of broadcasting messages to people using the lan, but it gives a back-door to any geek to annoy you. Check windows help for advice on how to disable this "service".