Consider: Any virtual machine manager may have "holes" in it that permit an exploit through, from the VM to compromise the host OS. Perhaps such an exploit could be used to infect the parent OS with some type of exploit--even if not ZeuS or URLZone, it could possible be used as a 'bot' to send out infections to other Windows boxen. I suppose a VM that boots and runs of an ISO of a LiveCD running on a Linux-based host OS may offer about as much security as you're likely to get without using a dedicated (preferably Linux) PC, since it would presumably be very hard to hack a livecd-based VM (and they are surprisingly easy to set up and no, the virtual machine manager won't let you write to the ISO image, so that should be pretty secure....)

An alternative, if you are willing to live with having your dedicated machine on the same network as other, non-dedicated machines (and therefore, potentially open to attack originating from them) is to purchase one of those inexpensive PCs, and install Linux or MacOS on that, using a secure distribution. Of course, if you really want to be secure, you're going to probably need a dedicated internet connection for the dedicated PC, and a secure account for that, and to guarantee that your ISP is as honest and secure as you are trying to be...eventually, it becomes so laborious that the benefit is lost in all the effort--kind of like having to read through this last sentence!