When a VSA controls a service, the service accesses the network with the computer's identity (in a domain environment), which is much like what the built-in LocalSystem and Network Service accounts do, except that VSAs allow each service to have its own separate security domain (and subsequent isolation).
Creating a Virtual Service Account is pretty easy. Open the Services console (services.msc) and modify the service's logon account name to be the same as the service's short name, such as ex. NT SERVICE\ServiceName$. Then restart the service. That's it.
Recommendation: When the infrastructure can support it, consider using Managed and Virtual Service Accounts functionality to manage service account password security.
That wraps up part one of my three-part series on Windows 7 security. Part two will cover some of the more exciting features, such as XP Mode and AppLocker.
Sign up for CIO Asia eNewsletters.