There are two points of attack. Local access and network access.
Locking the workstation stops the local opportunity of compromise. If I had time to take your hard drive out there is nothing to stop me from accessing your data.
Protecting yourself from the internet is a different ball game. The first defense is you and what you know.
Being behind a router and having correctly configured and updated firewall/spyware/malware/virus checkers are a solid first step.
Being careful of where you go on the internet and what you download is vitally important. Hacker tools can't always be detected when they are included in a download.
Company has a bookkeeper, for example, that liked to download zip files for scrapbooking. I get a call on a friday concerning payroll. Two company payrolls had been compromised by a hacker to the tune of $60K per account.
As it turns out one of those zip file contained hacker tools which allowed the hacker in Europe to capture the back account numbers and passwords. Good thing the bank was on top of it or it would have been a huge loss with no recovery.
Just like the old vampire movies a vampire can't come into your house unless you invite him. Same with hackers. You just need to stay up on the tricks they use. Google social engineering for example.
I would not leave a computer on all the time connected to the internet without a good reason for doing so.
You should not work under an admin account but a limited one. This restricts the damage that can be done compared to working under an admin account.
There are plenty of other tricks and the web lists them all. If you are behind a router, have a software firewall, don't download from peer to peer networks or shadowy stuff you should be just fine.