I have seen a few variants.
SANS and a few other security classes I've joined pass out USB drives to each student, that come pre-filled wth one or more virtual machines, compatible with the most common virtualization platforms. They also warn students up front, multiple times before class, that they need to setup something like VMWare Player on their laptops and that they need to test it beforehand.
PRO: branded USB sticks as goodie, no downloads needed (and thus no bandwidth load)
CON: takes an upfront investment of having the USB drives prepared in bulk (and updated in case of changes).
===
Others take the VM-approach, but rely upon tools like Vagrant to build the VM on-site, on-the-fly.
PRO: updates to the labs are easy, just one rebuild away.
CON: potentially a big load on bandwidth in the training location, Vagrant et al are potentially confusing to the less-experienced student
===
Still others make use of Docker containers, pulling them on-the-fly from the Internet or an internal / locally hosted Docker repository.
PRO: updates to the labs are easy, just one rebuild away, great for covering a few very specific applications/services.
CON: potentially a big load on bandwidth in the training location, Vagrant et al are potentially confusing to the less-experienced student
===
Finally I have taken a few classes where the training org provides an online lab environment that is to be accessed through VPN or a web portal. This is often the case where a large, simulated environment is needed that can simply not be run on a student's laptop.
PRO: everything is fully under your control in your organization's servers
CON: 100% online connection needed during class, total cost of setting up and maintaining this cloud-hosted multi-student environment