It is not necessarily a risk, other than the fact that you will have less insight into what these users are up to. That argument, however, would apply to any sort of strange beast of system or software that is brought into the enterprise.
Thus, it all comes down to how much you trust these users and what they might do. Do you need to monitor their actions carefully? The VMs, if deployed in the manner that you describe, will be completely controlled by the users, and they will therefore be invisible pockets of software in the environment. Perhaps you can strike a bargain with these users that doesn't have quite as much potential for chaos. You can, for example, choose a set of operating systems that you will support as virtual guests. Then, you can require employees to install security packages, like antivirus and personal firewalls, in those guests. That might help you strike the right balance.
Dig Deeper on Virtualization security issues and threats
Related Q&A from Ed Skoudis
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ... Continue Reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ... Continue Reading