I know how to open my browser sandbox on a one-time basis, but how can I set it to always open sandbox?
and what are the recommended settings for this?
You should create an auto-sandbox rule for chrome Configure Rules for Auto-Sandbox, Sandbox Security Software | internet Security.
this will automatically give it the right rules for a browser?
You would still need to create an allow outbound rule for the firewall if you don’t want to get an alert for network access when chrome is being sandbox as CIS will always alert for network access for sandboxed applications regardless of rating. Chrome will work the same way as when you manually run chrome sandboxed, the rule you create just tells the auto-sandbox to automatically sandbox chrome whenever chrome is executed.