Keeping the OS and applications patched is one step that must be taken. A good firewall with application fingerprinting is another. As you say, application restrictions is another. If you think that just because new viruses are not detected is not a reason to have anti-virus, then I want to caution you that there is still a lot of damage being done by old viruses. They are still out there in the wild and you are likely going to come across an old infected file at some point. That file would create problems that could have been prevented by using anti-virus software with signatures for those old viruses. There’s still lots of Code-Red & Nimda out there. Don’t be fooled that just because a virus has not been modified or updated that it is still not dangerous to data and systems.