Even being "curious" about what kind of spam you're getting can be dangerous.
A currently popular crimeware method is to embed a "bot" in an email message, usually as a JavaScript element. Even opening (or previewing) the message to see what it is may allow the JS to run and put a small bot on your machine. Once the bot is in place it initiates a connection to one or more websites that download the "real pieces" to take over your machine.
Even with a good firewall, a "request to connect" that originates on your machine may look like something you want to do, so the "bot" may, so far as your firewall and AV are concerned, "look like you," with your permissions.
The initial infection can also come from unscrupulous websites, or perfectly honest ones that have been infected, and runs the script to download itself while the page opens, or if "curiosity" induces you to "click something."
While Java appears to be the most popular vehicle, there are other "scripting methods" that appear at times, so turning off JavaScripting helps, but isn't fireproof. Unfortunately, JS is useful sometimes too, and there may be times when you need to have it turned on.
Of course ; > ) it doesn't apply to anyone here, but you never know where your library users will go: "porn" and other "similarly questionable" sites are generally held to be most likely sources of this kind of malware. It's uncertain whether Google has "sanitized" their search results out of "moral conviction" or just because the sites with "that kind of stuff" are so frequently dangerous; but they do seem to return lots less of it recently. (There are other search engines that specialize in it that your library patrons might use.)
Most of these exploits do rely on "vulnerabilities" in the OS, and keeping current with patches is probably the most effective single thing one can do (aside from not being stupidly curious). For Windows, only WinXP and (for now) Win2K can be patched, unless it's something really critical; and Microsoft's idea of critical leaves out a lot of known weaknesses in WinME and Win98.
It's really uncertain whether other operating systems are "less vulnerable" or whether they're just not big enough targets to be worthwhile to the criminals. The last pack of 12 OS-X patches (about a month ago?) look to me like "carbon copies" of patches issued for Windows over the past year or so; but Apple doesn't provide enough information for real assessment by "disinterested" people like me.