A Virtual Organization (VO) is a dynamic collection of distributed resources that are shared by a dynamic collection of users from one or more physical organizations. As Grid Computing technology is starting to facilitate truly large-scale VOs, issues are being raised regarding the purpose, architecture and operational mechanism of the VO. The emerging approach is essentially to define the VO as a particular set of users, whereby a "VO server" issues tokens to humans attesting to their membership in the VO. The problem with this approach is that there is little in the way of rules that describe the operation of the virtual organization or rules that govern the behavior of VO users and resources (and the ramifications of failing to meet the intent of the VO itself). Where such rules exist, they are implicit and therefore difficult to enforce in a consistent or automated manner. This paper identifies two representative policies for existing and future VOs and, more generally, identifies issues and approaches for addressing the practical concerns for implementing any explicit VO policy: utilization measurement, accounting, enforcement conditions, enforcement actions, and security. A prototype implementation using .NET is described.