The main thing to get you into trouble is having a spam trojan start spewing out spam from your VM. That's get the ISP's attention after awhile and get your public IP on many blacklists. Maybe even get your net access turned off if it's bad enough. That's why you want a good software firewall on the host machine so you can block this. Outpost or Sunbelt Kerio firewall can do this if you use the advanced filtering.
A virtual machine is just a program on the computer, but it creates an environment that makes the virtual installation thing it's a real one. It is separate but it is possible that stuff from the VM could get out. Usually, this would be if you enable sharing between the host and virtual machine. Also, make sure all other computers on your network have good firewalls in case you get something that scans looking for other vulnerable computers. Since your VM is behind your router, it won't help. That is yet another reason to have a good software firewall on your host to control what the infected VM can spit out. for the most part, using a VM is safe, you just have to be mindful, prepared and knowledgeable.
Going into the exact details of how a virtual machine separates itself from your main computer is beyond wht I can say here, but it works. Remember, using VM for malware research was not the original purpose of them. Usually it was for testing different builds of an OS or a different OS. You can install other OS's like Linux, Unix, etc in a VM. In fact, you can use a VM to run Windows on another OS. I run Windows XP and Vista on my Mac with VMWare Fusion. So, virtualization works. For more specifics you can start with this Google search