Re: Once again...
1. The host PC *does* detect viruses coming from the Ethernet in NAT mode, assuming you're not running Linux without an AV. My point was that it won't detect ANY viruses if you run in bridged mode. Of course you should also run an AV inside the VM, but in theory if the VM worked as everyone thinks it does, you wouldn't have to. My point was that a VM setup still won't catch everything. It might be a little less vulnerable than a native installation, but it'll be far from perfect.
2. Restoring a ghost image is almost as fast as a VM copy. And if you're running XP for compatibility reasons, you can't really strip that VM down to the bare bones because the program you're trying to run might not work. Besides, you can strip a native XP installation in the same way.
3. If you ban VMs, you (in theory) only have to really worry about the XP PCs. You could put them on a separate network, for example, in an attempt to isolate them from your other PCs. With VMs, you have to worry about ALL the PCs. It's very easy for the end user to switch the Ethernet support in a VM from NAT mode to bridged mode or to mount a USB drive. VMs give a false sense of security. At least with an XP machine you know the exact level of security you're getting.
4. In my experience, if the host PC does not have drivers for a piece of hardware, more often than not the VM will have trouble recognizing and/or using that hardware. I have also had problems with VMs in general, and have had to resort to native XP installations.
Maybe a dual boot XP/7 installation would work better? Then Windows 7 could scan the XP partition for exploits daily, something it can't do with an XP VM. But then you have rely on the user to boot back into Windows 7 when they're done. They might do it if you put all the other applications on the Windows 7 partition and just put the bare minimum on the XP partition.
My point is that VMs are not touted for security, but compatibility. Just like XP was. Which is why XP had all those exploits in the first place.