I recently created a thread called "No such thing as 100%". Correct me if I'm wrong, but I don't recall anyone challenging those words by saying that they use Sandboxie. Now I wonder to myself why! I am certain there have been many threads on Wilders praising Sandboxie, but I think it deserves one more! Just to get things clear regarding how many Christmas dinners you're going to have to sacrifice per year (haha!) - Sandboxie can be used free of charge (but rather stripped down), or you can pay a one-off relatively reasonable sum of money (about the price of 2 expensive meals in my country) to get the full version...for life. Yes, for life, including updates for life. Incredible. I must thank the Wilders user "demoneye" for introducing me to Sandboxie and making sure I discovered its true power. Many thanks also to him for helping me setup the excellent (dare I say bullet-proof) configuration below. To be honest, I had installed and trialled Sandboxie about a year ago and very much disliked the fact that it slowed down the opening of my web browser. This has since much improved in the latest version, especially when enabling the force run sandbox option. For my setup (see my signature), opening my web browser sandboxed on cold start takes about 5 seconds longer. On warm starts, it takes about 4 seconds longer. This I can live with! Running my chat messenger program sandboxed doesn't noticeably affect performance at all. So here's how I setup Sandboxie on my system: Overall, I have 3 separate sandboxes: 1. Sandbox DefaultBox - this would be used to test out any programs I was unsure about (or was suspicious that the program contained malware). All default options here, except I enable "Automatically delete contents of sandbox". 2. Sandbox my chat messenger program - this is used to force start my messenger program sandboxed when run. I have restricted internet access in this sandbox to only my messenger program, my default web browser and Java. I have also restricted Start/Run Access to only my messenger program and my default web browser and Java (meaning that while using my chat messenger program, only my "web browser.exe" and my "messenger program.exe" can run at any time). In addition to all this, I have Drop rights enabled (which means that my chat messenger program will run with reduced rights, even though I'm running my overall system on an administrative account). 3. Sandbox my web browsers - this is used to force start both the web browsers on my system sandboxed when run. I have restricted internet access in this sandbox to only the two web browsers and Java. I have also restricted Start/Run Access to only the two web browsers and Java (meaning that while using either of the web browsers, only their respective .exe components can run at any time). In addition to all this, I have Drop rights enabled (which means that my web browsers will run with reduced rights, even though I'm running my system on an administrative account). Everything is now setup and automated. Quite incredible really. For me, my web browsers and my messenger program are the main applications that access the internet daily, and thus have earned a separate sandbox configuration as above! The main reason for separating them is to make updating new versions of each application easier. Fellow Sandboxie users will understand this. Any other Sandboxie user please feel free to post how you setup your configurations! Together with my second layer of defense (gosh, I never expected CIS to be the second layer!), I think I am nearing that 100% mark. In fact, I think I could come up with an argument that all you need is Sandboxie alone to get near that 100%!