Sandbox (as reported in these forums) is not a real one and sometimes has strange issues.
And i suppose that secure dns (and every concurent software) does not know all malwares in the world in real time.
A second line protection for unsafe users, why not, but a "must"?
My idea is that firewall/hips should be enough (but don't make me say what i did not, i.e. that NIS, KIS or whatever you call it would be as good or better once the comparison made fair, without the sandbox looking only to me, but it's only my personal opinion, as a gadget).