They are accounts, just like your user accounts, but they are somewhat
special, because they are used by Windows internally.
LocalSystem exists since Windows NT begin and your kernel and all its
services used to run as LocalSystem, having full control over your system.
When a service running as LocalSystem accesses the network, its username is
the computers account. When a service running under this account is taken
over, you can do anything with the computer and probably the network too.
Use this only when you really need it.
(Note that services could also be run under any other user).
With Windows XP and Server 2003 Microsoft began to do something more about
security and they provided 2 more special accounts:
Network Service is more restrictive than LocalSystem, since it has less
priviledges on the local computer. When accessing the network it still
authenticates under the computer account. This service is intended when you
need access to (protected) network services (such as shares) but don't need
full control over your computer.
Local Service is more restrictive than Network Service, because on the
network its authentication is "anonymous". It also has little priviledges on
the local computer. So it has much less potential to destroy your computer
and won't harm your network. This service is usually sufficient for most
services, so use it...
- Joris
