2) http://www.vidalia-project.net/
If step 1 sounds like martian to you, get Vidalia.
It combines Tor with a very friendly interface, and more.
Very easy to install and use.

Might I suggest a few more for the list?

The first one is hard to do, but it’s, “Don’t invest in companies that sell tools that make it easy to spy on users.”

Panorama/JP Morgan invested in Narus, the company that made the monitoring gear the NSA used to spy on anyone using the AT&T network. Narus’ CTO is even on the Panorama advisory board (so am I…although after this post, who knows? :)

Other things to consider:
1. Get an account at dreamhost or another hoster that allows ssh, and use putty to set up a ssh session as a SOCKS proxy. Then all your surfing traffic appears to originate from a web host rather than your actual location, and all your local traffic is encrypted so your broadband provider can’t spy either. It also makes it easy to use “secure” web sites because you always appear to surf from the same “safe” IP address that will be known by your bank, broker, etc., despite the fact you’re actually surfing from a bar in Ecuador. Or so I’ve heard.

1. Use VMware Workstation to provide a separate virtual machine for surfing and email. Use another for private documents. (and you can use the SOCKS proxy trick with the virtual machine too…) VMware server sucks for desktop use but it’s free. Workstation is cheap and much better.

2. Use Copernic for desktop search – no privacy issues; it’s all local.

3. Check out hushmail.com for web-based secure email that’s actually secure.

4. Use an adblocker in Firefox so even if the bastards get your information, they can’t use it to harass you online.

5. Pay for your broadband service in the name of a company, not your individual name.

Interestingly, in my VP Marketing role at Zeus Technology, I use a service called leadlander that does a reverse DNS lookup of every IP address that hits our web site, and I get a daily report that says which companies own those IP addresses. You can bet we call those companies first. We also know when competitors view the site.

A good idea (that I haven’t yet implemented) is for companies to themselves use proxies for outbound traffic (although SOCKS isn’t necessary – a VPN tunnel to a box with a non-company IP address is fine) – to prevent their competitors and vendors from tracking what they’re doing.

@Peter – thanks and agreed some of these many be tough for the everyday surfer, but the more folks that understand the problem the better, IMHO.