The average vulnerability bug that you're likely to get having taken those precautions (no open ports to the internet, no live code running on untrusted webpages, etc ) easily sidesteps antivirus protection anyways.
I know, security is all about layers, but the usability and performance tradeoff gained for this paper tiger protection is not worth it, in my mind.
However, I'd also run EMET to make it a bit harder for an exploit getting past NoScript to operate correctly.