In my sandbox.ini file, under [GlobalSettings], I have: ClosedFilePath=%Personal%\Photos\ ClosedFilePath=D:\Photos while in [Photo] I have: OpenFilePath=D:\Photos OpenFilePath=%Personal%\Photos\ yet the Photo sandbox cannot get access to my photos. If I disable the Global ClosedFilePath=D:\Photos then access is restored, obviously, but I don't want other sandboxes to have full access to my photos. What am I doing wrong?
Try this (no trailing backslashes in global, all trailing backslashes in [Photo] box): [GlobalSettings] ClosedFilePath=%Personal%\Photos ClosedFilePath=D:\Photos [Photo] OpenFilePath=D:\Photos\ OpenFilePath=%Personal%\Photos\
Unfortunately, that made no difference. I may manually remove the restriction on the odd occasion I need it - I have a program that allows only one instance, and I want to have two instances open side-by-side now and again. SB+ allows me to run one normally and another sandboxed. Or I could remove the global restriction and add it to each sandbox individually, but any new sandbox wouldn't then inherit the restriction.
I changed the protection level from Normal/Standard Isolation to Enhanced/Security Hardened and it works as I would expect. That's weird. And just in case, I have now checked that I hadn't disabled the global restriction.
When you select "Enhanced/Security Hardened" it will also enable "UseRuleSpecificity". Spoiler: UseRuleSpecificity Prioritize rules based on their Specificity and Process Match Level The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path. The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process.
Sadly,I have no idea what this means - I didn't change anything other than select the type of security. As long as it works, I'm happy.
