So, you have clarified the question, so I will write specifically.
1. Set up the Windows firewall in paranoid mode, cutting off everything that should not have access to the Internet and from the Internet.
2. If the router has a firewall, set it up in the same way.
3. Regularly install updates manually (or centrally, as a last resort) or enable auto-updates.
4. If the computer is in a domain, disable using group policies and AppLocker to start applications from non-system and Program Files folders. Restrict the circle of users who have access to this computer. Ideally, the domain administrator and user account should have access.
5. Disable the default Administrator, create an account with the same username and complex password. Of course, you need to create another administrator with an even more complex password.
It seems to be everything, but if paranoia has already broken out, then you can still buy IDS: D

Additionally - specify Yandex servers or similar services as DNS .
Put an adblock on the browser.
Enable standard system file protection and set up a system backup so that you can recover at any time.
Backup must be done under a different account.
Administrator and user should not have access to the backup folder.

What can be done to improve security against Internet threats?

Install an ad blocker in your browser. And let him learn not to click anywhere.

I will add Artem to the answer , in addition to setting up a system backup, teach the user how to backup user data, perhaps add some kind of automation to him in this regard. In the clouds, on removable media - to taste. If this is a home computer, then the system will not be reinstalled for long, and working documents or favorite pictures will be lost - there will be trouble.

The built-in antivirus is good. It does its job silently and decisively )))
However, there are users who run ransomware themselves and answer the question "Do you want to destroy all your files?" always answer YES!
From my practice, NOD32 performed well in silent paranoia mode. It is quite inexpensive. According to the logs, I see how it blocks attempts to download / run another surprise. In general, I am 90% satisfied. Sometimes it starts blocking the necessary sites due to security certificates. It is solved by updating, kicking the admin of that site or adding the desired site to the white list.
And yet, no protection will help protect the user from the desire to shoot himself in the foot. Reserve leg only. As it was correctly written here, access to the backup should be denied to all users except for the special backup operator.