If I am running a program in the Sandbox, can that program access any files outside of the Sandbox? For example, can firefox or another program which is running inside SBIE have ability to read and send files and data over the internet to someone else?

If so, is there a SBIE feature that can lock a particular partition or folder so nothing inside the SBIE can gain access to the drive or partition or folder?

Cheers!

Yes, by default any sandboxed application can read any file and send the data over the internet.



Yes, Sandboxie has the ability to do that.

Wow that is surprising, even shocking, that programs and web browsers INSIDE the SBIE Sandbox, can actually get out of the Sandbox and read and access my personal files and data elsewhere on my system and even send that data back to hackers. I was under the impression that SBIE would stop anything getting OUTSIDE of the SBIE to do that.

So what am I missing here? What does SBIE do actually then?

And you stated that SBIE has the ability to LOCK a partition hard drive, partition or folder, but I am not clear as how to do it, seeing you didn't give any instructions.

Cheers!

It´s not surprising because Sandboxie can not guess what folder(s) a user wants to block.

What does SBIE do? It avoids that sandboxed applications write to real disk. That´s the general purpose of the tool.

How to block folders:

http://www.sandboxie.com/index.php?ClosedFilePath

@tonyseeking

Why don't you restrict the default sandbox to only allow your browser access the internet ?
This way if anything starts to read your folders, it can't send anything.
After the session, you just delete the contain of this sandbox.

I did also restrict any program except FireFox and it's plugin container to run to run.
And then I restricted FireFox to not be able to open/read folders I keep private data inside.

Very simple..., but it helps !

If I have a folder that contains files that sandboxed programs don't need to read, I prefer to use the Write-Only Access setting instead of the Blocked Access setting.
Sandbox Settings > Resource Access > File Access > Write-Only Access

The Write-only Access setting makes it look like the specified folder is empty, as far as sandboxed programs are concerned.
There's no error message generated if a sandboxed program tries to read from (or write to) the folder. It just appears to be an empty folder - no files.
You can still specify that folder in a Quick Recovery setting, so that anything that the sandboxed program writes to that folder can be recovered out of the sandbox, if you choose to do so.

All of my sandboxes except one, have the setting:
WriteFilePath=%Personal%\
because the programs that use those sandboxes have no need to read from my Documents folder.
And yet, as I said, I can still use that folder as a Quick Recovery folder and let sandboxed programs save files there for recovery.

The only sandbox in which I don't use this setting is my email program's sandbox. There, I sometimes want to save an email as a .eml text file, outside of the sandbox.
So I need to be able to use a "Save As" browse box in order to navigate to the proper sub-folder underneath the Documents folder, to save the file there.
I thought about moving the sub-folder where I save these .eml files, but I haven't thought about any place that I like better than the sub-folder that I've always had under the Documents folder.

The Blocked Access setting simply blocks all reads/writes to the folder specified, and causes an error message when that happens. The specified folder is useless, as far as sandboxed programs are concerned.

What exactly is this "plugin container" anyway, that I believe firefox wants to add to SBIE?

I have added a particular folder to:

1. The Write-only Access.
2. Blocked Access.

What's the difference between the 2, and I have the folder in BOTH sections in SBIE. Good or bad idea?

Plugin-Container.exe runs as a separate process from firefox.exe, and is used when certain web content is detected at a site - such as Flash content.
The idea is to run that content in a separate process, so that if it crashes it does not crash firefox.exe.

Blocked Access will take precedence, and Write-Only Access will do nothing.
In other words, the folder cannot be accessed by sandboxed programs, just as if the Write-Only setting wasn't used.

So isn't it better to BLOCK the folder than chose Write only Access?

In terms of security, block and write only access are equivalent.

In terms of usability, write only access is better.

Conclusion: write only access will be usually a better option.

Ok thank you. So Write Only Access means that nothing in the SBIE can read or access that folder?

If I am not missing any part from "Write Only", then yes, that´s right.

Write-Only Access means that the files in the specified folder, and all sub-folders that may exist there, are hidden from the sandboxed program.
The folder itself can be accessed, by the sandboxed program. It just looks like it's empty.
So nothing can be read from that folder or any sub-folders, and the sandboxed program does not receive any error message when it tries to read from that folder.

Normally, with a folder that is specified as Write-Only Access, a sandboxed program will be able to save files to that folder. But the saved files will be in the corresponding folder that's inside of the sandbox, not the folder that's outside of the sandbox.
So if desired, you can specify that folder as a Quick Recovery folder, and you can recover the files outside of the sandbox to the "real" folder, if you want to.