PC knows all that already. He has reasonable security settings, antivirus software, and antispyware software. I don't know if I've persuaded him to keep Windows up-to-date, though.
The problem is that there are still a bunch of unfixed security bugs in Windows that allow a malicious site to download trojans if you just visit the site without even clicking on anything. This has happened to me several times in the last few months, and I probably have stricter security settings than most people here.
The safest way to surf nowadays is to disable Java (Microsoft calls it the Microsoft VM, i.e. Virtual Machine) and Javascript (Microsoft calls it active scripting). Most trojans use one or the other of these. Very few sites use Java legitimately, so you will hardly miss anything if you turn off Java. Javascript is used mostly for pop-ups, but there are some major sites (like Microsoft) where a lot of things don't work unless you have Javascript enabled. I would recommend disabling Javascript in your Internet Security Zone, and enabling it in your Trusted Sites Security Zone, and put Microsoft and similar web sites in the Trusted Sites list, provided of course that you do trust them not to drop trojans on your computer. Of the porn sites that get posted here, I would guess that 1 or 2 out of a hundred actually require Javascript to display photos, so you won't be missing much. And you can always re-enable Javascript, though it's a nuisance to do all that clicking.
If you disable Javascript and you still get any pop-ups, that means that your computer is infected with adware and/or exposed to hackers and worms. In the latter case, you need a firewall.