I started writing my reply, and then realized this post has become quite old. I hope it’ll be useful to someone anyway.
The answer is unfortunately: It depends. Basically, the containers will still sit behind the firewall (in most configurations), and only explicitly opened ports will be available externally. Furthermore, containerization provides some extra security, because even if a container is compromised, the base system won’t usually be compromised immediately. Containers are highly disposable, so a compromised container can be killed quickly and a new, uncompromised container can be spun up from an image. Good logging practices (remember, logs should be stored outside of the container!) can then help identify how and why the container was compromised, and it can be prevented in the future.
As for viruses, Linux doesn’t usually require AV itself, but if it shares files with Windows machines regularly, you may want to install something like CalmAV.
Overall, running your web applications in containers is significantly more secure than running them directly on your Windows servers, because containerization provides some containment of threats. If a Windows box in compromised you have to set it up new, whereas a container can just be switched out and won’t have access to the host beyond allowances made in setup.
All that said: You can certainly configure a container badly; opening a bunch of ports, saving secret keys within it, and so on, which all constitute terrible security practices. I suggest more research and matching to your requirements.