Windows service accounts

Hi

There are a number of styles of windows service authentication and contents, mentioned at http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/sspgch02.mspx

System Accounts

A service must log on as an account to access resources and objects on the operating system. If you assign an account to a service that does not have appropriate permissions to log on, the Services snap-in for the Microsoft Management Console (MMC) automatically grants that account the required Log on as a Service user right on the computer being managed. Microsoft Windows Server™ 2003 includes the following three built-in local accounts used as the logon accounts for various system services:
•

Local System account

The Local System account is a predefined local account that can start a service and provide the security context for that service. It is a powerful account that has full access to the computer, including the directory service when used for services running on domain controllers. The account acts as the host computer account on the network and as such has access to network resources just like any other domain account. On the network, this account appears as DOMAIN\<machine>$. If a service logs on using the Local System account on a domain controller, it has Local System access on the domain controller itself, which, if compromised, could allow malicious users to change anything in the domain they wanted. Windows Server 2003 configures some services to log on as the Local System account by default. The actual name of the account is NT AUTHORITY\System, and it does not have a password that an administrator needs to manage.
•

Local Service account

The Local Service account is a special built-in account that has reduced privileges similar to an authenticated local user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Local Service account accesses network resources as a null session; that is, it uses anonymous credentials. The actual name of the account is NT AUTHORITY\LocalService, and it does not have a password that an administrator needs to manage.
•

Network Service account

The Network Service account is a special built-in account that has reduced privileges similar to an authenticated user account. This limited access helps safeguard the computer if an attacker compromises individual services or processes. A service that runs as the Network Service account accesses network resources using the credentials of the computer account in the same manner as a Local System service does. The actual name of the account is NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.

Important: If you change the default service settings, you might prevent key services from running correctly. It is especially important to use caution when you change the Startup type and Log on as settings for services that are set to start automatically by default.

My question is this; I'm running 24x7 windows version as a windows server 2003 r2 service under a domain account. Would 24x7 function and be able to access network resources via windows file sharing if I ran the service as localsystem or network service and allowed the computer account to access the desired network resources via active directory?

As far as I understand the LocalSystem account, as the name suggests, is limited to the local system. It has full rights for the local system but it cannot access any network shares. It can access only very limited network resources such as TCP/IP based protocols and communications and only in case if such access is given to the COMPUTER\LocalSystem account on the domain level and only after somebody logs on to the system

NetwokService is even more restricted than LocalSystem. In comparison, it doesn't have full access to the local system, but like LocalSystem can access limited network resources such as TCP/IP based protocols and communications.