Post 1, that's sort of right, but the user can sometimes, if they slip up, let things bypass many of those layers at a time. For example a user who deliberately downloads a program they think is safe but is actually dangerous, and then tries to run it, has bypassed the firewall, the anti-exploit, updates and any browser protection already. Also in some circumstances, like drivebys caused by adverts on legitimate sites (sometimes happens to big news sites with ads round the corners), the user isn't a line of defence, everything happens much too fast. You'll need anti-exploit protection, even better script blocking and anti-exploit working together, to stop this.
The user doing 1 isn't very safe, but if they use a browser that isn't IE or edge and they keep that browser, any plugins, flash and such updates, but not windows they won't be so unsafe. If they add in script blocking they'll probably be ok most of the time, but it's better to have windows' security updates as well. Just check for security updates manually each tuesday evening/wednesday morning, then install them, ignore non-security updates if you don't specifically need them.
The user doing 2 can't be safe unless the system is always offline and they never plug in anything to transfer files to it (by USB/CD/DVD...) which hasn't come from a computer they know to be clean from infections and that they've scanned the files many times on.
The user doing 3 is almost* certainly safe, but still needs to be careful. non-critical windows updates are generally not security ones, they're bug fixes. This user MIGHT have the odd usability bug in some programs which they could have updated but haven't but their security will not be weakened. I don't install any windows updates that aren't security updates, there may be some usability bugs on my system that weren't fixed but I've never encountered them. As for security mine is good.
All 3 of these users could be infected though, so keep backups. All 3 of them would benefit from something like noscript, they'd also benefit from disabling plugins in browsers except on the few occasions they need to use the plugins. All 3 of them ought to follow careful practices. Without the anti-exploit the users would be much less safe, due to the driveby risk, many drivebys use newly developed viruses so antivirus and antimalware won't catch them.
*Note the word "almost", no-one is ever 100% safe. That's why backups of personal files and system images of operating systems, settings and programs are crucial to have.
Edited by rp88, 10 April 2016 - 02:49 PM.
Back on this site, for a while anyway, been so busy the last year.
My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB