If "Drop Rights from Admin..." is NOT selected, and if C:\Windows and C:\Program Files folder is not listed in "File Access/Read-Only Access", can installing programs into SBIE be a security threat and can the program, if malware of virus, then infect my entire Windows?

Thanks in advance

Even if installing under admin rights you should be fine as long as experimental protection is enabled. If you want a super locked down sandbox then you can go ahead and drop rights and restrict writing even within the sandbox. Also you can restrict what programs are allowed to run in the first place.

What is experimental protection? And how do I enable that in 3.70?

And the problem is, if I drop rights, then programs won't install into the Sandbox.

So what is the settings I can do, to make sure installing programs WORKS, yet enough protection to avoid any program leaking from SB into my system?

Please read about it here:

http://www.sandboxie.com/index.php?ExperimentalProtection

Experimental Protection
To Enable Experimental Protection: Open Sandboxie Control > Configure Menu > Experimental Protection (64-bit)

I am running W7 32 bit, not 64 bit.

Anyone able to answer my question? What are the settings I can do, to make sure installing programs WORKS, yet enough protection to avoid any program leaking from SB into my system?

Hi Mozart, a default settings sandbox is more than enough protection when you are trying programs but make sure to disable Drop Rights, otherwise programs wont install. Also set the sandbox to delete on closing or not to delete if you want to keep the sandboxed program for a while. Thats what I do whenever I install a program in a sandbox and have never seen anything get out of the sandbox.

Bo

Hey Bo, so if we disable Drop Rights, and install a program which ends up being malware or a messy program, does that mean the program can change files and add files OUTSIDE the Sandbox because we have disabled Drop Rights?

Changes don't affect your system as they take place inside the sandbox and are kept there until you delete it. Your real system remains intact.

Bo

So Bo, if that's the case, then why do we need to ENABLE "Drop Rights from Admins....."?

You don't enable Drop Rights to keep changes inside the sandbox. Enabling Drop Rights keep programs from doing certain things when they are inside a sandbox. Thats whats for, like for example, programs wont be allowed to be installed sandboxed.

Bo

So "Drop Rights from Admins....." has nothing to do with programs INSIDE the SBIE being allowed or disallowed to do anything OUTSIDE the SBIE?

I always thought that I should enable "Drop Rights from Admins....." so to stop anything INSIDE the SBIE from doing anything OUTSIDE the SBIE. So that's not the case at all? Even if "Drop Rights from Admins....." is DISABLED, no program INSIDE the SBIE can do anything OUTSIDE the SBIE anyway?

But why would you need or want to limit what programs can do INSIDE the SBIE seeing they are INSIDE the SBIE anyway and cannot touch anything OUTSIDE the SBIE?

In other words, WHY exactly would you need to specify whether Sandboxie will strip Administrator rights from programs running INSIDE a sandbox, seeing the programs can only do things INSIDE the SBIE anyway?

Anyone able to give me understanding and clarity about that?

I have a QUESTION: If I install a hard drive Defrag program into SBIE and run the program, will it DEFRAG the proper hard drive, or some kind of fake SBIE "hard drive" inside SBIE?

AND, if I install a Registry program inside SBIE and run it, will it check the SBIE Registry or my proper Windows 7 Registry? Because I installed Wise Registry cleaner into SBIE and ran it from inside SBIE, but I think it's scanning my REAL W7 Registry?!? Anyone with an answer?

And it's reading my Startup menu as well, but how come a program installed into SBIE and run from INSIDE SBIE can read my proper W7 Startup menu???

Defrag programs would require driver installation which won't fly I'm afraid. And now in reply to your last few too many posts, I want you to take a deep breath and repeat with me: NOTHING IN THE SANDBOX CAN HAVE ANY EFFECT ON ANYTHING OUTSIDE IT!

There is a nice little diagram on the site's main page for your convenience. It demonstrates the point once and for all
Now there, see, that wasn't a hard concept to envision after all.

So when I ran Wise Registry from INSIDE SBIE, it found errors from programs I installed BEFORE I even installed SBIE. So does this mean that whenever I run SBIE that SBIE makes a COPY of my proper W7 Registry into the SBIE and Wise scanned the SBIE registry?

If so, where is the copy of the whole W7 Registry in the SBIE? Is it the file called "RegHive"? Is that the file Wise Registry cleaner was scanning and cleaning?

And D1G1T@L, do this... type regedit in start menu, choose to run INSIDE SBIE and then click on "HKEY_LOCAL_MACHINE/SECURITY". Why does it say "An error is preventing this key from being opened, ACCESS DENIED"?

And ANOTHER question... when I installed Eraser into SBIE and run it from INSIDE SBIE and chose to wipe my K: partition, why did Eraser begin to wipe my actual K: Parition and even show the exact files on it?

Guys, I just want to warn you not to take that guy seriously. He will just annoy you to no end with retarded questions that can be answered by common sense.
This is TheMozart, that states that tzuk denied him of help a long time ago. (he states it as tzuk is defensive of criticism or something like that). He stated that Sandboxie's forum is a wasteland. You can find a thread about it in Wilders. I am warning you that he will just waste your time. He sees things like running 10 videos in separate windows under Sandboxie will slow his system down and blame Sandboxie with the cause. (he doesn't realize how retarded it is to run 10 different videos SIMULTANEOUSLY).
I am not doing this to harm his reputation (he has none). I am doing this so that tzuk and the others will not waste their time.
link to the Wilders thread -http://www.wilderssecurity.com/showthread.php?s=ff33f9cf2878fc411ff45ac646aa80f3&t=323950