One of the nice things about virtualization is that you can run just about any program you can on a physical computer. One of the drawbacks of virtualization is that you can run just about any program you can on a physical computer. Why the seeming contradiction? While most programs are useful things you’ll install yourself, malware like trojans, viruses, worms, and so on are also all programs – and will happily run in a virtual machine. Unfortunately, malware authors frequently forget to set the Evil Bit, so it’s not simple to only run "good" programs.
From a security standpoint, you should treat a virtual machine just like you would a physical computer. For most users, this means you should have a firewall, antivirus, and software updates turned on. If you don’t need networking, disable it. Don’t visit shady websites or run untrusted programs.
If you’re a longtime Mac user, you’ve probably never needed to worry about this sort of thing; simply running OS X is a good first line* of defense in a Windows-centric world. But if you run Windows in a virtual machine, you need to be able to think like a Windows user.
* Disclaimer: Using a Mac is not a silver bullet, so
don’t get too complacent – malware could still theoretically hit us.
But it’s less likely.
Personally speaking, most of my virtual machines have no need for network access, so I disable networking (and actually remove the virtual network card to make sure I can’t accidentally enable it). With no networking, there’s no need for a firewall. If I need to get programs or data into the virtual machine, I use drag-and-drop or a read-only HGFS shared folder. I don’t keep important data in my virtual machines or allow them write access to HGFS shared folders, so even if something somehow gets through to the guest and runs amok, I won’t lose anything important. My setups are pretty simple, but if I had a complex one (e.g. if I had to spend hours installing software), I would back up a clean copy. Because of all this, I feel like I can get away without antivirus.
I suppose the managers and PR folks would want me to point out that Fusion 2.0 comes with a complimentary 1-year subscription to McAfee VirusScan Plus, which will run on 32-bit Windows 2000, XP, Vista, and 64-bit Vista. If you’re not a McAfee fan or are using other guest OSes, that’s cool; you can use whatever you want. My point is simply that you do need to take precautions even with a virtual machine.