Just yesterday some nimrod emailed me a virus. I knew it was a virus and should just be deleted outright, but I wanted to examine it. Since it would do absolutely nothing to my Mac I dragged the virus-laden (netsky win32 BTW) zipfile to my desktop and fired up my Parallels VM running XP, dragged the file over to it's desktop to see what it would do. It did exactly what I figured it would do, which was make itself invisible, then the Symantec anti-virus thing on the VM did it's thing, which was to clean it out.
Nice experiment, and with no fear that it would do anything to the Mac OS X host system.
So yes VMs are sandboxed nicely.