To simplify my above points -
I mean, connections should be blocked for "Only programs running in the sandbox" i.e programs running outside sandbox, trusted/user trusted, connections should not be blocked.
Options should be there.
And, if "Block" option is selected, it shouldn't be a silent block i.e no notification. User should get a notification, could be an alert like autosandbox alert with (program name) connections blocked & option allow connections.