A bit complex, but still interesting. The developers of advanced sandboxing must really think on another level, super smart guys and girls.
Very useful, thank you. I know as a developer, adding decent sandbox controls to an application in Windows is needlessly hard, and MS keep on changing the models and facilities available. Really what's needed are a few templates that could go in a project to say whether internet/registry/file system whitelist/blacklist should be applied. Then more advanced scenarios could be done manually by the bigger shops.
Nice read on Windows OS sandbox introduced with Windows 8 (AppContainer and LowBox token) http://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/