You don't have to double click on something to have it loaded in the background, there are methods say downloading a useful tool, etc. and get an unknown present and since you authorised the initial download, it too will get a free ride through - now it wants to call home - what is to stop it?
Simply visiting some pages could be enough to get an unwelcome present. Trojans get past firewalls as is proven by the detection of many, those that are undetected (1st day ,etc.) could then be free to call home with your details taken from a keylogger, etc.
The overhead of having a software firewall and router is negligible but the additional protection IMO easily outweighs this overhead.