When a background service starts, it needs to run in the security context of an account. In classic NT, services typically run under the LocalSystem account. This causes security problems because processes running as LocalSystem have virtually unlimited privileges.
In Windows Server 2003, Microsoft tried to correct this vulnerability by including two new service accounts:
This account provides a security context for several services that access local system resources.
This account provides a security context for several services that access network resources.
These two accounts have their own profiles under Documents and Settings so they can obtain public key certificates. This enables them to digitally sign files and network communications.
If you look at the service list in the Services.msc console, you'll notice that LocalSystem still owns the lion's share of the services. LocalService owns a few processes such as Alerter, Remote Registry, and the Web Client. NetworkService owns DNS client, RPC Locator, License Logging, and a few others. Look for an expansion of their roles in the future; but for now, don't expect the local service accounts to prevent too many attacks.