I've written a web-application to run on Windows (XP,7,2008, etc), not using MS tools (python/django/nginx, though it should not matter). To run the app I've created a Windows Service which installs and runs fine.
However, the application will run in an environment where security is important. By default the service installs itself running under the Local System account, which I understand has full control of the computer. Doesn't sound like a good idea.
I've also seen Network Service used but descriptions tend to talk about domains and such. This app uses the network and is running on Windows, but doesn't talk "Windows" much if at all. It is self contained and keeps its data in the "common app data folder" aka ...\All Users\Application Data though.
Should I use Network Service? Should I create my own account? On unix I would, but not sure of the "gotchas" on Windows. Would be easier to use an existing account.
Since you're coming from a Unix background you should be used to running under an unprivileged context. Many Windows developers don't have that kind of background and, as a result, we have a lot of service in the Windows ecosystem that require excessive privilege. I'm really glad to hear you questioning the need to run as "LocalSystem".
As a security-conscious Windows sysadmin I'd prefer that all my services run under unprivileged user accounts, either local to the server computer the service is running on or, if the service absolutely needs to access resources on other machines via Microsoft networking, a domain account.
I personally dislike any of the "Local Service", "Network Service", etc, contexts because they aren't user accounts that I can specifically control the parameters of. It is worth noting that "Local Service" always accesses remote machines with null sessions (anonymous credentials) and that behavior can't be duplicated with a normal user account. Still, I prefer an explicitly-specified unprivileged user to "Local Service", but "Local Service" is a perfectly reasonable choice, too. If you write your code to work as "Local Service" it should work fine as an unprivileged user, too, unless you write in some explicit dependencies on "Local Service".