First, the XP firewall is NOT one way. It is, in fact, quite capable of blocking outgoing connections, but blocking outgoing connections is completely useless about 99.9% of the time from a security standpoint, so there's no point.
Second, NO firewall, be it in a router or software firewall like ZoneAlarm, will prevent someone from downloading malware, or a drive-by style malware installation exploiting one of dozens of different IE security vulnerabilities. That, quite simply, is NOT the job of a firewall. If you expect this sort of service from a firewall, expect to be very disappointed. It's important to know what a firewall will and will NOT protect you from. There are a lot of things they WILL NOT protect you from that you quite probably thought they did.
Third, the biggest threat to computer security is user ignorance. Computers are not appliances, no matter how much Apple and Microsoft try to convince you otherwise. They do require some care in their use. There really should be the equivalent to a driver's ed course for computers, but there's not, so it's up to everyone to educate themselves.
Fourth, it's not rocket science to keep a computer running smoothly. Really. The thing that sets "geeks" apart from everyone else, is that the "geeks" recognize the similarities between computers and other areas of life, and apply lessons learned in one area to another. As an example, before email made spam a possibility, there were people running scams by postal mail and phone. There still are a few people doing this, but email is much cheaper and lower risk, so it's not so common anymore. If you know it's not a good idea to give out your social security number to just anyone over the phone, why then would it be a good idea to do it over the Internet?
Here are some tips you can pass along to your friend. If she follows them strictly, after her current mess is cleaned up, I can pretty much guarantee she will enjoy long periods of uninterrupted use of her computer. Even if she only follows the don't use IE, don't use file sharing or P2P programs, and don't use pirated programs suggestions, the number of problems she experiences should drop dramatically.
TIPS FOR A SMOOTH RUNNING SYSTEM
The more of these suggestions you follow, the fewer problems you should have. Follow them all, and you've probably eliminated at least 95% of all potential problem sources.
Things you should NOT do
1: Use Internet Explorer
2: Use any browser based on Internet Explorer
3: Use Outlook or Outlook Express
4: Open email attachments you haven't manually scanned with your virus scanner
5: Open email attachments you were not expecting, no matter who they appear to be from
6: Respond to spam messages, including using unsubscribe links
7: Visit questionable websites (e.g. porn, warez, hacking)
8: Poke unnecessary holes in your firewall by clicking "Allow" every time some program requests access to the Internet
9: Click directly on links in email messages
10: Use file sharing or P2P programs
11: Use pirated programs
Things you SHOULD do
1: Use a non-IE or IE based browser
2: Always have an up to date virus scanner running
3: Always have a firewall running
4: Install all the latest security updates (the exception to the no-IE rule)
5: Delete all unsolicited emails containing attachments without reading
6: Manually scan all email attachments with your virus scanner, regardless of whether it's supposed to be done automatically
7: Copy and paste URLs from email messages into your web browser
8: Inspect links copied and pasted into your web browser to ensure they don't seem to contain a second/different address