Ugh. Routers are not single-purpose networking devices anymore. Almost all consumer routers now have built-in hardware firewalls that can be surprisingly configurable. Using a software/personal firewall is hardly ideal because they suck up system resources like memory and CPU cycles whereas the one in a router does not impact the system and is practically like having a dedicated security appliance. Moreover, a software firewall is immensely more likely to be attacked (e.g., shut down, circumvented) by malware than one built into a router because there are fewer varieties and versions, which makes finding a vulnerability much easier than finding one for routers since they are so much more diverse.

It doesn’t matter if there is only one system; putting it behind a router helps tremendously with security (so much so that with even a modicum of safe-browsing habits, you can run a system without any sort of security software—e.g., real-time anti-virus, etc.—for years without getting infected with anything).

Not surprisingly, I highly recommend using the router for now until they can get a replacement (are you sure the router is indeed dying? my router has “died” a few times for unknown reasons and eventually recovered). If money is an issue (routers are pretty cheap these days) check local classifieds like eBay Classifieds or Kijiji for an affordable used one.

That said, yes, it is possible to be directly connected to the Internet and still be safe. (I recall installing Windows XP on a directly-connected system a few years ago and discovering that it was infected with the Nachi worm before Windows was even finished installing! It became infected in the second phase of the installation, as soon as the network drivers were installed.)

As you have thought, the most important piece of security software is indeed a firewall. It will prevent malicious connections from coming in and doing harm. The Windows Firewall is generally sufficient to keep novice users, especially careful ones safe (it was first introduced in XP SP2, aka the “Great Windows Security Overhaul”). A dedicated one is better since it will also control outgoing connections, but if the users are not computer-savvy and will be overwhelmed by prompts and settings (they should be able to “set-it-and-forget-it” once for each program), then the Windows Firewall, with its default settings, can indeed be enough (sort of).

There are plenty (countless?) anti-malware softwares from dedicated security firms, but Microsoft Security Essentials is also generally good.

What security changes are necessary when connecting DSL modem directly to PC instead of router?

Aside from enabling the Windows Firewall and Security Essentials (if they are not already enabled), there are a couple of other things that you can do to ensure they stay clean and safe (though these are good measures in general, even behind a router).

• Keep the system updated. Make sure to have Windows Updates automatically applied to keep exploits to a minimum. Also set Security Essentials to automatically download updated definitions. In fact, set all of the software that they use regularly (browser(s), plugins, Acrobat, Flash, etc.) to be automatically updated.

• Give them a crash course to educate them on safe browsing. Teach them the basics of malware and warn them about downloading and executing files as well as about spam.

With the current setup, they have possibly two (or three) layers of security.

Most domestic routers have a stateful firewall (where incoming response packets must match an outgoing request), and also have NAT, which while isn't considered a security measure, provides similar protections to a stateful firewall as incoming connections must match a translate entry in the NAT table, which are only created in response to an outgoing connection.

The third layer is the security feature of Windows XP's built in Firewall and the security applications mentioned.

This proposal removes one or more layers of security and directly exposes Windows XP to the internet (assuming the modem gives a public address to Windows as is usual, and doesn't have any security features of its own).

Deciding whether this is sufficient is a matter of accepting risk. The only way to decide whether the risk is acceptable, is to look at the history of Windows XP vulnerabilities and whether these in the past would have been sufficiently mitigated by the security products you use, and if not whether having the additional layer of security would have mitigated them.

This will give you an idea of the probability of new issues arising in the future, and whether you are protected sufficiently, and what the impact is if not. Combining these is the risk being accepted. Whether this is sufficient is up to the person accepting the risk.