Hope that got your attention! Yes, this should apply to XP too, because XP also has job objects. It might be a little half-baked, but I think it could be made to work. See first: http://www.chromium.org/developers/design-documents/sandbox#TOC-Sandbox-restrictions http://msdn.microsoft.com/en-us/library/windows/desktop/ms684161(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/desktop/ms681949(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/windows/desktop/ms684147(v=vs.85).aspx Job objects let you group processes together and put various controls on them. In this case the control we want is ActiveProcessLimit in the JOBOBJECT_BASIC_LIMIT_INFORMATION struct. This lets you set a maximum number of processes belonging to the job object. If: - The job object is set to make spawned processes also part of the job - A job process tries to spawn another process - ActiveProcessLimit is too low for that process to join the job then the process creation will fail, which is exactly what we want. There may be other restrictions possible but that's the main one. I think there are a couple ways of doing this... A) Create a job object with an ActiveProcessLimit of 1, for each and every process that should be restricted. This might be memory intensive or otherwise problematic. This might be better: B) Create one job object, and build a list of restricted programs. When an allowed program spawns, increment ActiveProcessLimit and assign it to the job. When it exits, decrement ActiveProcessLimit. This way processes associated with the job will be blocked from spawning anything. That's kind of complicated though, and also you have the issue of malware co-opting an allowed process. So I have a better idea, inspired by VoodooShield: C) User lockdown. When the user hits the Big Red Button (or otherwise triggers the HIPS, maybe by launching one of a list of Internet-facing apps...) - a new job object is created with the aforementioned restrictions - ActiveProcessLimit is set to however many processes are running in that user account - All the user's processes are added to the job object, and ActiveProcessLimit is decremented if any exit So, no new applications can spawn until the user hits the Big Green Button and the HIPS invokes CloseHandle on the job object. ... Is this workable? I think I might be reading the Windows API stuff wrong, but if not I hope this is useful to someone... Edit: tell you all what, I'll try to create a command line implementation later this evening. Might take me a while though, as I'll need to create a Windows VM for it... Edit2: obviously blocking process creation is not enough to avoid CreateRemoteProcess hijinks and stuff, but there are other access controls available too, even on WinXP. BTW, to anyone who's actually reading this: are there any SysInternals tools that can mess with job objects? ProcessExplorer can view jobs, but can't seem to change them.