Sandboxie and Sandboxing explained
One purpose for Sandboxing applications is a method to prevent any permanent damage to your system caused by malware. The basic idea is that you prevent the malware from having access to your real system by having the sandbox pretend to be the real operating system. Applications that run inside the sandbox don't know they do not have direct access to the OS or any direct access to other system resources.
Sandboxie is somewhat different from the usual sandbox program since it does not virtualize everything. It virtualizes only the resources that are requested by the programs running inside the sandbox. The Sandboxie website lists these resources as; Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication such as Named Pipes and Mailbox Objects, Events, Mutexs , Semaphores, Sections and LPC Ports. Its worth noting that because Sandboxie does not allow loading drivers within the sandbox and refuses access to the Service Control Manager, rootkits cannot be installed.
The benefits of Sandboxie compared to a sandbox application like Returnil are mostly convenience. You don't have to reboot to run a program in a sandbox, and conversely you don't have to reboot to get out of the sandbox. An example of this is CrossOver Mac where it looks like windows applications are running natively within the Mac OS or andLinux where Linux applications appear to run natively within the Windows environment. In reality, neither applications running in CrossOver nor andLinux are running natively. They are running in what I think of as a blended mode, the application itself is being virtualized with only the native OS resources required to run the application. Sandboxie performs in the same way. It blends sandboxed applications into the non-sandboxed environment.
An application can be preset to run in a sandbox so that every time you start it, it runs in the sandbox, automatically starting the sandbox if necessary. Also in any program like explorer you can right click and choose run in sandbox. Any application that is started by an application running in the sandbox is also started in that sandbox. You can also run multiple sandboxes to isolate sandboxed programs. When the last sandboxed application is closed you can use a third party application to securely delete the sandbox.
Using Sandboxie you can define exceptions for applications to have access to specific resources outside of the sandbox. For example, you can allow your browser access to the actual file (or folder) where bookmarks are stored so that you don't lose any bookmarks when the sandbox is deleted. Exceptions can be made for almost any system resource. You can also define Quick Recovery folders (e.g. a folder where you store your downloaded files) to have Sandboxie prompt you to save a file outside of the sandbox. This is useful if you will be deleting the sandbox but don't want to lose a downloaded file. Access to resources outside of the sandbox can be denied as well. By configuring the ClosedFilePath and ClosedKeyPath settings within each sandbox's options you can deny access to any resource that you do not want the sandboxed applications to see. By default sandboxed applications have read only access to the file system and registry.
The drawback of Sandboxie (and similar programs) is that it is theoretically possible to write an exploit that bypasses the sandbox protection. If that happens then it's possible that a malicious program could do as much damage to your system as an application running outside of a sandbox. A sandbox application that virtualizes the entire OS and all resources like Returnil is more (but not entirely) immune to this presuming that at some point you save anything outside the sandbox.
An example Sandboxie setup is to configure two sandboxes. The first sandbox contains internet applications (the highest risk). The second contains applications that are untrustworthy or that are being tested. The first sandbox is automatically deleted each time after use. The second is for longer term use and is only deleted manually.
Hope this is what you were looking for Leo! Yes Seti, I know it's too long :)
Cith