A properly configured firewall allows only the ingress and egress traffic that you explicitly allow, nothing more and nothing less. This has several security implications. For one, if you give your users shell access, they can't run any server software on the machine that might grant an attacker a shell account which they could then elevate to root via a local exploit, or just cause havoc from the user account. It may protect you from script kiddie type attacks that simply search for an exploit and try to install rootkit X through it. If RK X happens to listen on a port to allow the attacker to gain root, that traffic won't get through and the exploit will have 'failed'.
I wouldn't say it's really absolutely necessary to have a firewall; a secure machine without one is about as secure as a secure machine with a firewall, however as you add more users and more services, your machine has more and more possible points of entry. If you run a firewall, you mitigate some of the possible damage. Mostly it's just good practice...why would you *want* to deal with traffic that comes in on some random port? Why would you want to forward odd traffic coming from your machine?