I will try a list to simplify your search for solutions to your concern.
Your paranoia is founded! In fact - if you bank and shop online, you might seriously consider using a LiveCD of the latest version of Puppy Linux. This will keep malware and criminals from writing to your hard drive, and they can't write to a closed session CD/DVD. Even the latest version will auto update and you can use familiar browsers like Fire Fox. Most banks accept Mozilla browsers now, and if set in IE mode, they may accept them anyway. Be sure and reboot before and after your bank session; if you need to save anything Puppy Linux will ask if you want to save to flash upon shutdown or reboot. I will follow this suggestion with a descending order of security comparable to this technique, but ease of use will be ratcheting upward with very little compromise in security level. Keep in mind that during sessions between reboots, it is still possible to read your keyboard, video, or otherwise spy on some session functions, but with Linux this is greatly reduced. A lot rides on whether you trust the bank or shop page your are on when using SSL(secure socket layer) to do your business.
A. Puppy Linux Live CD - already mentioned.
B. Microsoft Steady State - this is only available to XP users, and support is not available on Vista/Win7; however several good third party companies have carried this type of saftely onward. This is similar to turning your hard drive into a state similar to a LiveCD, but may not be as safe.
1. If one is to believe the makers of Drive Vaccine - they have the best protection for this type of science. They have been around a long time and in fact used to offer hardware solutions along with the product(PCI). But now they claim is is even better as a purely software solution. This one is easier to use, because it lets you save data to a virtual environment, and updates to software/operating system can be approved on an as needed bases.
2. Faronics Deep Freeze - this one is less secure than the previous solution but in the last 15 years, our local college has never had a network compromise since using it on every student computer. It may be more difficult to update your PC, and you will have to have every anti-virus(AV) and anti-malware(AM) solution you can to make this unguarded state safer. Of course rebooting before doing maintenance can minimize this possibility of compromise between drive states.
3. Microsoft Steady State is the most difficult to use, but still as about a safe solution as you can use for free - next to LIveCDs
C. Previously mentioned "virtual" environments like Sandboxie can be had, and can work almost like a LiveCD. But I suggest ending each protected browser session before and after using a bank/shop site. I really don't mess with virtual environments, because my clients can't figure them out, and they won't use them anyway - so I try alternative methods to make each "session" safer.
1. Top of the list in this category is using the built in NT system to protect your PC - only run online as a restricted user( also known as limited user and/or restricted account). Always run as a user with the least privileged and rights. This has been made simpler by Microsoft(MS) by making three categories of accounts.
a. Administrator - this one can do anything( always password protect and disable the hidden Administrator)
b. Limited user - this one has all he needs, and can watch video, shop, bank, save files, etc. No ability to install.
c. Guest account - this one has even less privileges, but I think it is only necessary for actual guests to your PC.
This NT protection scheme is almost as good as a sandbox but don't assume your not being watched. Zeus variant malware can also inject into the startup folder, and survive a reboot. Malware can also fool you into clicking on suspicious alerts and gain administrative rights to the PC, they can also use exploits to gain a foothold in a vulnerability in the operating system or other applications.
2. To avoid further calamity in this environment it is necessary to understand that solutions almost to a tee, must be as close to a kernel based environment to prevent manipulation by malware. Some simpler but good AM can use a password to protect the settings console - the better ones simply can't be manipulated without logging in as administrator or allowing an alert to attempted changes to the AV/AM solution. I will list what I have tested as serious condenders in this market - I will list the free ones first, as that precludes me from shilling people to get paid by a company. I am independent and don't take money from any company. In fact I do a lot of free consulting just to destroy the mislaid plans of criminals.
a. Rapport - This tool keeps criminals from riding session into the bank account you just successfully logged into! It can block keyloggers and screen capture as long as an SSL session is active.
b. Comodo Free Firewall - Probably called Internet Security now - but you only need the firewall and Defense+. The later, will alert you to file manipulation, and is getting better at identifying which process is trying to do it. Newbies are gaining more and more understanding of this, as Comodo continues to improve the product.
c. Emisoft Anti-malware or other similar products, are paid products, if you want the real time protection, but it does a better job letting you know what and where the file is being manipulated, and by what, and lets you keep safe processes from being monitored at all. Mamutu is one of the few paid products I can recommend, but I haven't tested PCTools Threatfire, which is supposed to be similar, and is still free, last I checked. Winpatrol can do this for free, but is subject to manipulation, and fairly week against attack; but if you are aware, you will see it drop off the "systray area" or what ever Win 7 denotes that to be. Awareness can prevent many successful attacks, because even weak solutions show evidence of tampering.
d. Prevx Safe-Online - reduces threat settings automatically when Rapport is detected on your PC. This is the only anti-virus/malware, that can be run concurrently with one other anti-virus. It is cloud based and amazingly fast, and free to FaceBook users - so I only recommend it for them. However you do not have to remove anything with it, and I don't recommend doing that BTW. MBAM, Super-Anti-Spyware, or CCleaner will do that much better on a limited account.
3. The next category may not be kernel based(for now) but are compulsory for my clients. These are solutions that are very resistant to malware, and probably wouldn't function if malware were trying to change them anyway! Both the previous category and this one, can operate in infected environments, which one must face now, because their are too many silent and undetectable threats now.
a. Keyscrambler - is a very good key-logger obfuscation tool, it can't block video or snapshot images, but the previous solutions can make life difficult for those that attempt that kind of surveillance.
b. LastPass - this one has a very good reputation, as they immediately alerted the public the one time they though their host based security was compromised; it turned out no 'blobs' were exported by the criminals, and no damage was accomplished, but they still warned folks to change the master password none-the-less. Personal information is store on the local hard drive and the cloud in encrypted form, so no sensitive data ever has to be entered into the hard drive without protection, and if you lose your OS to a crash, the cloud will instantly provide all of it after loggon.
c. CCleaner - I put this into this class because it is such an excellent free solution, and it is so affective at destroying the criminals plans in such a simple way. It just deletes all the temp files you brought in during page loads, and also can clean out the startup folder to prevent injection attacks. The criminals are doing their homework trying to disable CCleaner any way they can during your browsing session, so it is a good idea to use it between sessions, so if something is wrong - you will know it before disaster strikes!
NOTICE! - I don't mention anti-virus? Well - actually Avast is my favorite, but during my honeypot tests, I am beginning to wonder if running with restricted rights and keeping everything updated has made both AV/ AND AM obsolete! This leads to the next category of updater tools to keep the PC environment locked down and almost invulnerable.
4. This category can keep malware and viruses from comprimising the protection the operating system already provides to the OS, and also plugging holes in applications that or more likely than anything to blow holes in your security. No AV or AM can help you there!
a. Secunia PSI - the new version will pop up during limited sessions to let you know when it can't automatically keep your applications updated. CNET's update alerts through email will usually beat PSI to the rescue, but the following will usually beat all of them.
b. File Hippo Update Checker - this handy updater helper, can beat the others to the punch sometimes three days earlier that any other source. Downloading their updates can be an easier way to accomplish the task too, but simply using your browsers updater is the best once File Hippo lets you know what needs updating. Unfortunately Windows security has improved just enough that FH can't alert you while you are running as limited user anymore. So if you want the max alert time before a zero day threat, you would have to log onto the administrator at least once a day. I personally don't do this; but my bank account is not likely to be compromised, as the bank limits the power of using accounts online, so criminals can't take over the account anyway. Your mileage may vary!
5. The last category addresses methods of payment; and many have already mentioned PayPal. Your Paypal account is only as good as the password protecting it though; so bear that in mind. Most crooks simply guess your password, or get it from surveillance and empty you account that way, they can intercept your email during man-in-the-middle attacks, so you might not get an email alert. You can always tie a store bought pay card to the account to limit the damage, or a credit card that can be blocked if PayPal goes awry. One of my favorite methods is to use an Online Secure Credit Card. This card number is only good for the vendor it is issued to, and if someone else tries to use it, BOOM! - they get nothing! HA! I love keeping the money out of the criminals hands in the first place! Discover is the only credit card company that I know of, doing this now. If anyone knows of others, please chime in.
In conclusion I would just like to add, that when I am attacking my honeypot limited account with zero day threats, 75% to 85% or more of the time, something in the modern Windows browser, or operating system will stop the threat cold in it's tracks - it just takes good judgment to NOT blow through the DEP, ALSR, the UAC, and other embedded security features in Windows. I challenge you to look for new security solutions here on CNET that actually provide real time malware protection on limited Windows accounts. Now that AdAware has lost its reputation, that is getting hard to find!