behind a hw firewall your pretty safe from incoming connections, provided you configured your firewall correctly...
but for outbound stuff your pretty much free to do whatever if your using default configs (unless youve locked it down manually). The outbound connections are source natted to the public ip address of the router for all ports and protocols, this means that if you download a trojan and it decides to spew out a load of spam, there will be nothing stopping it (unless your isp drops it).
Thats where the sw firewall comes in, the sw firewall will block incoming and outgoing connections, although personally i think they are overkill - just apply a bit of common sense to your browsing and learn the operating system and you reduce the chance of picking up a virus or trojan by a lot.
However, if your the paranoid type, you can block all outbound access on the hw fw, configure a proxy (squid?) and only the proxy outbound access over ports 20,21,80,443 and any other ports you use, and tunnel all your traffic through the proxy. Again overkill if you ask me for a home network.