Couple of things to answer here:
"How do people that don't use AV know there clean?"
The smart users when they say "I don't use AV" really means "I don't bother with active AV software." meaning once a year or less they do have about 3~6 AV programs they sweep there computer with a find nothing!
At least this is what I do every time before I reformat my system or once a year once ever comes sooner I like to run a good sweep of the system, just for fun. so far the the only things found over the last 10years has been 4 cookies in firefox... that I'm pretty sure were false positives. Sense they were data tacking cookies I actually wanted to keep around, so i didn't have to log-in to things all the damn time.
For the most part as long as you have your Browser/system/firewall/router/modem setup right it doesn't matter how "Questionable" the site is your pretty safe, as long as your not stupid enough to give out information about your self.
In order to exploit a flaw a site most use active code, if you have every thing but basic XHTML and CSS disabled, it would be externally hard for a site to automaticly do any thing to you.
The way most people get them selfs "infected" witch is a very relative term sense most of the things people call "viral" are really things they agreed to, they just didn't read the ELUA of something they installed. As a tech I've had people swear up and down they go something from a ad on google... a quick look around add/remove programs and its like ah~ no you are using about 10 ad supported programs.
There are viral ad's and site code out there, but be smart keep ActiveX, Java, Scripts, and flash disabled on sites you don't trust. Clean your cache often, and have cookies auto deleted, only manually keep cookies that you know you want, and don't accept cookies from every site on the Internet. "I mean really didn't your parents teach you not to take cookies from strangers?"