The default for all VNC payloads is that DisableCourtesyShell is set to FALSE. This WILL give you a shell. If you want to disable it you need to set DisableCourtesyShell to TRUE.
msf exploit(ms08_067_netapi) > set [[DisableCourtesyShell]] TRUE [[DisableCourtesyShell]] => TRUE
Two schools of thought.
1. A big blue command prompt is a dead giveaway to someone they just got owned, so in most cases you probably don't want it.
2. BUT if you find yourself with a locked desktop, you can either wait... or if you have your Courtesy Shell you'll have a command shell with the privileges of the exploited user/service. If you want your gui or access to start-->run-->whatever simply type explorer.exe into the courtesy shell and you'll get a desktop (either the user you exploited, the service you exploit, or SYSTEM)
