Why is Microsoft Security Essentials not suitable or did I not understand the question? windows.microsoft.com/en-US/windows/products/security-essentials

Oddly enough, everyone's unloved Windows Firewall provides the necessary functionality. It prevents applications from accessing the Internet until they are added to the exceptions.

there is an item in the security policies that allows you to run only those applications that are on the list, so we beat 99.9% of viruses at work.
gpedit.msc - User Configuration - Administrative Templates - System, then the item "Run only specified Windows applications"
and sit under the user account, and use the administrator only when necessary

For surfing the Internet, it’s better then to install Virtualbox and create a virtual machine with Linux or Windows - let all the nastiness look for passwords in it.

read this document: Gubarevich_Peter___Windows_XP_and_Server_2003_Installation_Protocol_v1.2__Russian_.pdf, this is about proper system configuration, minimizes the risk of virus infection, despite the fact that the document is for XP, many points are relevant for 7.

By the way, how will dropbox protect files? I understand that if you delete all files from the dropbox folder on this computer, everything will be deleted on the server too? Or do they have a rollback option?

The answer is “out of box” – in addition to protecting yourself from password leakage, you can reduce dependence on them and, accordingly, the risk of loss will become less significant. That is, what difference does it make that passwords are leaked if they cannot be used?
I'm talking about many things, first of all, about two-factor authorization (all accounts should be created on a service that supports it, for example, gmail).
Secondly, store passwords in an encrypted database, such as KeePass, and again use two factors - a master password and a key file, then even having stolen the database and password, the Trojan will not be able to open (and since 99.99% that this is a massive Trojan , and not specialized for you personally, then it will not look for the key file, and how will it determine which one is needed among hundreds of thousands? .).
Thirdly, use authorization by keys/certificates, etc., where possible, for example, on your own servers, if you have them.
Fourth, technical means: use VPN in all untrusted networks (better in all); use the antivirus anyway (why not?), install the antivirus on the router, let it filter your traffic directly at the input and output; use the program control tools that have already been recommended to you, be sure to work under a user account, not an admin account; set up a firewall on the local machine to restrict both incoming and outgoing traffic; Naturally, the router must also have a firewall; then you can mirror all traffic on the network to an IDS / IPS system, put it on the network in your DLP, conduct regular security audits, change passwords from a specially trusted machine installed from the original media and connected to the network only via vpn for 1 minute,

The first thing that comes to mind:
1) Microsoft Security Essentials
2) Windows Firewall with Advanced Security (Start - Run - mmc - add / remove snap - Windows Firewall with Advanced Security).
3) UAC. If UAC is not suitable for some reason, create a user with limited rights to surf the Internet. At least run the browser as this user.

A Trojan, if its author is not a fool, often injects itself into other programs as a stream and enters the network on their behalf or in general on behalf of the mysterious SYSTEM process.