How to change the Application Pool Identity of a WSS or MOSS web application
This change will be automatically propagated to all web front-ends.
How to change the Application Pool Identity for SharePoint Central Administration (SCA)
Repeat these steps on each server which hosts the SharePoint Central Administration web application. If the web front-end (WFE) and application (APP) server roles are served by separate machines, SCA should be enabled on one APP server (or more) and stopped and/or removed from the WFE servers. This allows control over access to the SCA. The SCA service account should not be the same as that used for the SharePoint application pool so even if one is compromised, the other remains secure.
The above steps create an Administration Application Pool Credential Deployment timer job. You can see this in the Timer Job Definitions page. The job is complete when it no longer appears in the list of definitions (refresh the browser, this isn't automatic).
How to change the default content access account for MOSS search
The content access account is used to crawl and index SharePoint content for a given Shared Service Provider (SSP). It should be different from the application pool identity and configured so that only the most recent version of each document is indexed, otherwise old versions will appear in search results.
How to change the Search Service account for MOSS
Note that this is the identity used to run the Search Service, it is not the identity with which content is actually crawled and indexed. This account must be a local administrator (not a domain administrator) on both the query server and the index server in order for index propagation to work. This is set automatically for you when you click OK (below), but is the first thing to verify if you get a "Query server not responding" error (see Chris Gideon's post).
How to change the default content access account for WSS search
Note that the Search Service account (which runs the WSS search application) is not the same as the Content Access account (which actually indexes the content). The Search Service account may be the same as the SharePoint application pool identity. The Content Access account should be different from the SharePoint application pool identity.
or
Many of the above steps are also documented in the MSDN KB Article 934838: How to change the passwords for service accounts in SharePoint Server 2007 and in Windows SharePoint Services 3.0, which could just as well be titled "How to change passwords or accounts for service accounts. . . ." But note that the KB article doesn't explain why you would make changes in the first place, only the how-to.
KB 934838 also contains a nice batch file you can customize to make many changes at once. Of course, please, please, please don't do something incredibly silly with it like saving your passwords in cleartext.
Background
There are a variety of reasons to change the accounts used by SharePoint's many services. The "best practice" is to use the same account wherever you have the same permission or auditing requirements for two operations, and distinct accounts for each potential attack surface.
Example 1: Two SharePoint application pools might use the same identity, unless the breach of one should absolutely not affect the breach of another. For example, the compromise of a web front-end should not also allow the compromise of central administration (and vice versa), therefore these two applications should run in separate pools with separate identities.
Example 2: Content crawler accounts need only read SharePoint content, so assigning any more rights or allowing the crawler to run as an administrator or database owner (e.g. using the application pool identity) creates a prime attack surface. Don't do that.
On a standalone WSS or MOSS configuration, local accounts work just fine. This is typical for a developer environment. When you need to more fully replicate a production environment, it's a good idea to join such a machine to a domain and configure the farm accordingly with similar domain accounts and often Kerberos.
There are some useful rules of thumb to follow in configuring SharePoint accounts.
Rule #1: Don't change account pool identities directly in IIS (unless it's the only way).
I've taken some pains to describe what I think are the best ways to configure accounts. Commands aren't generally added to STSADM or SCA on a whim (though I'll concede the possibility). If there's a SharePoint way of doing something, it's usually best to do it SharePoint's way and not the alternative. A similar rule is "never touch the database."Rule #2: Make the changes while logged in as a domain administrator.
The service accounts must be granted rights and be named in policies. If you use SharePoint's interfaces, SharePoint will update the appropriate rights and policies for you, but you must execute the changes while logged in as a user who is able to set these permissions and policies. This usually means being logged in as a domain administrator.
That's it, have fun.
References