I have a site that loads all sorts of things, so I dedicated to it a sandbox of its own. Alas, it's too easy to accidentally start surfing to other sites through that sandboxed browser. See, I can't delete this sandbox because it would be insane to start loading those things from scratch every time, yet it's too big to always copy over from a backup. So I need to ensure it's a "safe" sandbox. Sandboxie has settings like "only let this program connect". But within that program/browser (IE), can I somehow get it to refuse any other domain? That is, a white opt-in list of acceptable domains.

I don't think this is within the scope of Sandboxie, which does not try to be a firewall.

But I can suggest this: You might be able to copy your browser EXE, for example from iexplore.exe to iex2.exe, and along with a firewall that can set rules based on executable name, maybe restrict this iex2.exe to specific domains.

You can read here; and set it up with Internet Options from the sandboxed Tools Menu.
http://www.winforums.com/showthread.php?t=10326

Ok, Mitch beat me to it, but since I already wrote this, here it is...


You can do this directly in your sandboxed IE settings: simply redirect all sites to a nonexistent proxy server like localhost, then allow whitelisted sites to bypass the proxy. This worked great when I tested on Win XP with IE 8.

Steps for IE 8:

1. In your sandboxed IE, go to Tools > Internet Options > Connections > LAN settings.
2. Enable "Use a proxy server or your LAN", then click "Advanced".
3. Enter 127.0.0.1:80 as the proxy server and, if appropriate, enable "Use the same proxy server for all protocols".
4. Enter your whitelisted sites in the Exceptions section. (For sites that serve pages from multiple subdomains, you may want to use wildcards, for example *.nytimes.com instead of www.nytimes.com. More details on TechNet.)
5. Prevent IE from classifying whitelisted sites as intranet zone sites: In Tools > Internet Options > Security, click on "Local intranet" and then click "Sites". Deselect "Automatically detect intranet network" and then deselect "Include all sites that bypass the proxy server".

Perhaps a different skin for the sandboxed browser would also help?

By the way, the procedure for Firefox is basically the same: go to Tools > Options > Advanced > Network, and then click on "Settings..." in the Connection section.

If you want to set a single whitelist for all programs, you might be able to use a lightweight proxy like Privoxy (see FAQ: Whitelist). I haven't tried Privoxy sandboxed though.

Sorry Mike Lwc, set your home page while you are in there if you want.

Setting up the homepage was the first thing I did (before realizing all of this - thanks!). How do I do step 5) in IE6?

Although isn't there a way to do an alternate trick in a sandboxed system32\drivers\etc\hosts? That way the white list wouldn't need step 5). Plus I actually use a proxy and thus prefer not to lose it by using the aforementioned method.

Sorry, don't know. Does IE6 treat proxy bypass sites as intranet zone sites by default? In IE8, Step 5 actually isn't necessary - if you skip it, IE will automatically turn off the less secure intranet settings.


A blacklist would be easy, but I'm not sure about a whitelist. In order to get "block all, except x" functionality from the hosts file, I think you'd have to disable DNS lookups inside the sandbox. Also, wildcards aren't allowed in the hosts file.


Ok, can you run a duplicate, sandboxed proxy on a different port, and add a whitelist to it?

I'm looking at this as the site being run in its' own dedicated sandbox, with its' own reghive. Is the other proxy set up at the router or through Internet Options? If it is not through the router, you should be able to leave everything as it is on the computer - and just make the change in that one sandbox, through that sandboxs' setting in Internet Options. Remember the proxy in this sandbox is a dummy. Now I don't know if you will be able to bring up one site using the existing real proxy in one sandbox, alongside this site in the new sandbox at the same time - you will have to try it. You might have to blacklist this site in the real proxy and only whitelist this site in the dummy proxy for it to work simultaneously. What should be the result of all of this is that all of your sites except this one run in one sandbox with the working proxy - and this site is in a different sandbox with the dummy proxy - but then when this site connects it actually would be UNproxy'ed completely. That's the tradeoff.

I never said the tradeoff wasn't easy. It's just that there is a tradeoff in the first place. The ideal solution is a whitelist with no tradeoff...it's so like Microsoft to make hosts an opt-out file. As for step 5), IE6 does need it:

Yeah it is right where Mike said it was. It is only a tradeoff if you want this one particular site to go through a working proxy. I wonder if it is possible to whitelist a site in the Restricted Zone, instead of the Host file?

I was wondering that too, but I don't think the allowed wildcard patterns are sufficiently flexible. (If you feed it a pattern like *://* it'll show examples of what's allowed.)


Ok, so you want your sandboxed IE to work through your existing Proxomitron proxy, and to only access whitelisted sites. If you can disable DNS lookups in the sandbox, you can make the sandboxed hosts file into a makeshift whitelist. (However, you can still bypass the whitelist by entering an IP directly in IE.)

tzuk, is there a way to block DNS inside the sandbox, perhaps by blocking the DNS Client service?


lwc, I asked this above, but can you run another Proxomitron instance sandboxed, on a different port? In your other thread, it sounded like the proxies conflicted because they were on the same port.

Or how about using some parental control software, or tzuk's original suggestion?

I'll probably rather cancel the proxy for this one site than renaming files or running 2 Proxomitron configurations. It's just one site after all, and it's so easy to use the aforementioned method (thanks again to everyone who suggested it). I'll just have to remember tweaking it if I move to IE8.

As for your question on running Proxomitron on 2 ports, this month is actually the 1-year anniversary for this very topic.