Pen Testing Practice Box?
You can't distribute a windows VM legally. But a windows XP SP1 machine or a windows NT4 machine would be ideal. NT4 is no longer supported by Microsoft and there for contains numerous unpatched vulnerabilities. Even a windows 7 machine without patches could be exploited though an IE exploit.
If you want to get into pen-testing, I suggest reading this article by Robin Wood, where he discusses the $64 million dollar question "How to break into the security industry?". He provides lots of links, information and guidance.
As well as the answers provided, you could check out Multilladae or the Samurai WTF linux distro (which has the targets locally on the actual vm).
When hacking test boxes, run tcpdump/wireshark/tshark on the target and start examining the packet captures to truly understand what you're doing. Additionally, where possible, use the command-line :) I just released some pcaps from HackEire 2011 that show some real-world attacks and I'd recommend having a look at them.
As Rook said, this would violate a lot of copywrite laws. Another distribution you may be interested in is Damn Vulnerable Linux.