Google contacts are stored on the phone, just backed up to Google. So you can use your contacts when you are not connected to the Internet just fine.
There are no _viruses_, ie no self-propagating malware you can catch just by opening an email or visiting a website. There is malware, but it has to fool you into installing it. Only install apps from reliable sources (avoid sites that offer free downloads of paid apps - they are a prime source of malware), and apply a bit of common sense (e.g. if a flashlight app wants access to your contacts or messages you should be suspicious) and you will be fine.
I'm afraid I agree that question 1 is too broad: for example in your PC analogy you suggested 2 apps which I personally don't use. The first things I do (apart from rooting the phone, which if you are new to Android I don't recommend as a starting point) would be to install my preferred email client, SMS app, calendar apps, music player and a few browsers, and change the launcher. But there are built in versions of all of those and many people are fine with them. Conversely someone else might install or set up their preferred social networking apps, cloud services, set up syncing with Exchange, or other things which I don't use at all. So beyond the basics of getting your contacts onto the device and setting up a Play Store account it's really a matter of what you want to do with the phone and what your tastes are.