I've been messing around with Sandfox on Linux and I think it's pretty cool. Kind of like Sandboxie for *nix; you can create somewhat more secure chroot environments for almost any application. (Somewhat more secure because Linux chroot is IIRC less secure than BSD chroot, but yeah.) So going full circle back to Windows... Does Windows NT have an equivalent to chroot so you could pull something like this off? Not that there's anything wrong with Sandboxie, but I would think that a chroot-like mechanism could perhaps be more flexible, e.g. you could tell it precisely what libraries to let a program read from, and it might work better for running services and stuff.