Good question. So good that you'll have to answer it mostly by yourself. But for starters I'd say the following is important:
for detection of virusses and signalling about it, you could write a script which runs a clamAV scan (just don't have it remove anything) every now and then and sends the result to the manager VM (I guess even batch allows you to form a URL with parameters and executing it (if not, VBScript is built into windows as well));
for executing attachments and the likes, you could use autohotkey to detect clickable buttons (mostly 'open' and 'yes' and 'ok' and 'surely I want that free trip to Hawaii') and click them;
for getting spam, just put up the mail addresses (obviously it shouldn't be an address of a big provider like gmail or outlook, since those have spam filters) on public sites and auto-reply to spam messages;
for getting infected via the web, you should probably include IE6 and activeX in the installation image and then have the VM browse to obscure porn & warez sites (via autohotkey).
With some hacking that together, I think you can get some infections in the system.