CIS sandoxing idea is great, it can be improved a bit
1-Reduce the restriction imposed on sandboxed application
if you look alternatively a sandboxed application is nearly equivalent to D+ prompts answered in negative with file and registry virtualization.
currently sandboxed apps are running with limited privilege it is more than enough
Aim of CIS should be to gaurd the users computer from unauthorized change withoout impacting applications.
-at currently sandboxed apps are prevented from modifying protected keys, this include many keys including start up keys. this restriction can be relaxed to start entries only for sandboxed apps, cause when app is not running its no more harmful.
Acess to COM should be restricted to Network acess COM object ONLY ,as this may compromise user’s privacy and network leaks.
Restriction of 10 process is more than adequate.
a sandboxed apps should be allowed to use print ,keyboard, mouse
In fact it should be allowed nearly all thing except autostart and Network access, As regard interprocess communication ,it should be limited to shellcode injection.
-It should not be allowed to terminate other processes except created by it.
-it should be prevented from screen capture only NO other restriction should be there. i.e it should be able to access screen without any restriction.
2-sandboxed apps data should be stored in disk file not in hklm\system.…
it does not make any difference on size of data in registry in current setup when an application is sandboxed you are moving its entries around from unrecognized file to safe/trusted.
if sandbox is disabled then one entry is made in CSP all landing in registry. it is not efficient, though modern computer have large ram.
data about registry acess should also be stored in disk file like c:\virtual root in xml file or other cis defined format.
Hoping Devs will take a note of my very ordinary suggestions