GESwall looks like a simplified Coreforce/tiny firewall to me, allowing you to limit applications so that they can read/write only particular files/registries etc. Like coreforce it has downloadable settings for popular applications which you can share and download. In theory, you can create very safe setups by allowing file and registry accesses only when necessary for the specific application and disallowing all else. With the right rules you can even simulate a limited user account i suspect. The default ruleset is pretty loose though. I Played with it a bit. Looks okay. A bit rough around the edges, for example, right clicking on the icon does not allow access to the console settings. Makes accessing changes difficult. It is lighter than bufferzone IMHO. I think though we can differentiate Coreforce/GESwall/Tiny from Bufferzone/Greenborder/Sandboxie/Defensewall/ The first group allows 'per application restrictions'. You can deny read access to c:\certainfolder for IE, while allowing access for firefox. Of course, if you don't want to be so specific, there is always the default restriction rules (which are themselves changable) when something is 'isolated'. *********************************************** There are also other restrictions such as injection attacks, hooking, kernel drivers etc which may not have much to do with file/registry control, but for obvious reasons, I think Bufferzone, GESwall, Defensewall, etc have all restricted them when a file is "in the bufferzone"/"isolated"/"untrusted" etc This seems to be standard for sandboxes. ************************************************ The second group just splits all application into 2 groups (trusted versus untrusted) and all untrusted programs are equally restricted. E.g While you can set in bufferzone folders to be "confidental", "trusted" to restrict read/modifiy etc just like GESWALL/Coreforce/Tiny , you cannot set it on a per application basis. If you set c:\mysecrets to 'confidental', all programs in the bufferzone cannot not read it. GESwall however allows more grandular control. Maybe you want to allow your password mananger to access c:\mysecrets, but nothing else can read it. No problem GEsweall/coreforce etc allows it with the specific rules. Bufferzone's main strength over coreforce/Geswall i think is that it tracks changes made to the registry and file areas made by programs in the BZ. This allows you to blow away changes made by such programs if necessary. So for example if your browser got infected, you can restore it to it original state by resetting the BZ. Sandboxie, is similar. It can even be used for testing stuff. Some shareware programs like to stick registry keys in your computer (which is not removed when uninstalled)l, so it can keep track of the fact that you tried it before. This is pretty irriating if you dont like such stuff lying around. Some People try to use stuff like Totaluninstall, which compares changes before and after a software is install, in hopes of keeping the system clean, in the case the uninstaller fouls up. But this method does not work, because most shareware stick registry keys only after the nth start (as opposed to during the install), so total uninstall doesn't see that change. But with BZ there is no problem, ALL CHANGES are tracked. I have tried Defensewall yet, but I think it's closer to the BZ side of things, with 2 groups "trusted" and "none trusted", except without the tracking changes thingie of sandboxie and Bufferzone. Conclusion GESwall/Core force/Tiny firewall etc are like MS Windows XP's Software Restriction Policy on steriods. If you are one of those geeky people who like to tweak, control and layout exactly what resources each app can access , this is a dream. For most people though, I think they will just use whatever the default restrictions are, and specialised ruleset if it is made available by others. In effect they will be just using 2 groups ,trusted/untrusted exactly like Defensewall.bufferzone etc. Sandboxie/Bufferzone, as stated have a built in insurance policy of allowing you to revert changes, because all changes made by porgrams in the BZ are 'virtual'. This can be very very useful of course if you make a mistake. Of course, these solutions tend to be 'heavier' in my experience.