Here's how I configure my Sandboxie:
1. Create as many separate sandboxes as is required for your internet facing applications. Try to have one separate sandbox per internet facing application.
2. In each sandbox, use the appropriate start/run and internet access restrictions and only allow your program to start/run and access internet within its sandbox. You may also need to allow other programs depending on whether the application interacts with other processes.
3. In each sandbox, enable Drop my rights.
4. In each sandbox, block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
5. In each sandbox, configure Read-Only access to C:\WINDOWS
6. In each sandbox, force the relevant application to always run in its sandbox
7. Do not use any OpenFilePath rules for any internet browsers (note there are a few exceptions here, like enabling an OpenFilePath rule to allow direct access to Firefox phishing database)
8. You will need at least 2 browsers. One browser will be used for everyday browsing and other non-critical/sensitive activity.
9. The other browser will be used for online banking and other critical/sensitive activity.
10. For the browser in step 9, configure its sandbox to automatically delete whenever the browser closes.
11. Depending on the nature of your other internet facing applications, you may choose to also configure their respective sandboxes to automatically delete on closing.
12. This step is obviously optional: have one sandbox to test applications/malware in (the DefaultBox will do) where the only configurations are to enable automatically delete and block file access to any areas of your computer containing sensitive information (eg. “My Documents”).
13. Create separate sandboxes for each USB/external drive hardware you have connected (or would connect) to your computer. Force run the relevant drive letter to run in the relevant sandbox. Other configurations/restrictions may be applied here (see above).
14. Create separate sandbox(es) for your CD/DVD drive(s). Force run the relevant drive letter to run in the relevant sandbox. Other configurations/restrictions may be applied here (see above).
15. Create a separate sandbox for your Virutal Machine program, and force run it in this sandbox. Other configurations/restrictions may be applied here (see above).
