This post I recently wrote
gives a thorough overview of the different network configuration options for VMs, specifically VMware and discusses potential threats from a point of view of whether or not it is a good idea to install software patches in them (original question in thread).
With NAT mode, malware (or an actual attacker who's gained access) will absolutely be able to reach out and communicate with other computers and thus spread if it has the capability to do so. The list of targets that it could potentially communicate with and attack includes all other VMs up and running in NAT mode (NAT offers no protection for the VMs within the virtual LAN), all VMs running in bridged mode, your host OS, anything accessible on your physical LAN, and any publicly accessible host out on the internet. Whether or not those hosts will get infected depends on the malware having the capability to distribute itself, whether the architecture is compatible for exploitation by that malware, configuration, whether particular patches are installed or missing and what security products may get it the way.
Your NIS package I would expect should hopefully be guarding your system from attacks incoming via not just the physical adapter, but the virtual adapters also, so your host OS should be relatively safe in some respects. Other systems listed above might be vulnerable though. It would be wise to isolate the VM from all networks when playing with malware.
Well, just put it this way, a strict NAT connection isn't going to give the client access to the host, however you need to make sure there is no connection from the client to the host (shared folders, drives, etc). If you network both client and host, then all bets are off.
But I agree with what others are saying. If you're not sure as to what will happen, then you might want to reconsider. You can't really teach people about this stuff if you're not even sure.
What? The NAT option for the VM isn't going to do anything at all to stop the guest OS reaching out and communicating with other systems / the host OS.
Also, note that as I explained in the post I linked to, with a VM in NAT mode there are multiple paths between the guest OS and another host. There's a direct connection with all other NAT based guest OSs via the virtual LAN; There's a direct connection to the host OS via the virtual LAN (VMnet8 virtual adapter in host OS), and there's the virtual NAT service through which anything out on the physical LAN (including the host OS) or the internet can be reached. All of this is covered in the post I linked to above.
Whats the safest options for VMware/Virtualbox for Cryptolocker testing?
To completely isolate the VM of course. Either remove any network adapters from the VM or at least tick the option to have it disabled on start, and make sure that there are no shares or anything setup to the host OS. Understand that if there is a vulnerability in the VM software itself, this could potentially result in your host OS getting compromised by a piece of malware that exploits such a vulnerability regardless of this.