• VPN: Use a VPN. If you've already got a high-end router, chances are you've got some kind of VPN endpoint already set up. Now, you need to make sure it's got NAT-T (other IPsec versions don't work with NAT, which renders VPN useless in coffee shops and little wireless networks), and preconfigure it. If you have to, you can even use PPTP, I do sometimes because my router doesn't do NAT-T. Other alternatives are OpenVPN: »openvpn.net/ , which is an SSL-based VPN client that works extremely well. Look for OpenVPN GUI for easy Windows configuration. If you're not using a VPN, SSL, or other kind of encryption low on the OSI-model, everything plaintext can be passively sniffed, or compromised on the wireless network.
• SSL: When doing anything sensitive, try to make sure you're using SSL. Banking websites are usually ok, as long as they use SSL, and there aren't any funny messages about certificates being messed up (which is the man-in-the-middle vulnerability in action). Just be careful, gmail for example has the logon session secured with SSL, but messages are plain old plaintext http unless you force it with some tool. There are some extensions for firefox that are really handy for this.
• Outlook/POP3/SMTP clients: Make sure you're using SSL encryption on these, otherwise you're completely out in the open. The entire authentication/secret exchange part with the mail server, messages and all are wide open. Some ISPs don't even let you connect to their mailserver outside their network without using SSL. Comcast, for example, doesn't. I'd recommend using mail2web, and clicking on "secure login," if you're in a hurry, or don't know how to configure your client to use SSL.
• Windows Firewall/Software Firewall: I've already mentioned my favorite part, using the Windows XP SP2 firewall. Make sure it's setup to not allow exceptions, or else use your favorite software firewall. There are a lot of really good free ones. This won't protect you from eavesdroppers reading plaintext traffic, but it will prevent people from attacking your PC as if it's just another client on the network. You don't have to worry about this on most big, professional hot-spot APs (TrueMobile, for example), because these are setup to isolate each client. Mom-and-Pop Coffee/Java Joe, however, just have a WRT54G plugged into their Cox, so you'll need this protection there.