Can AppContainer Network Service/Process sandbox be combined with Sandboxie for apps that support it natively (such as Chrome) ?

[ghost]

The latest version of Chrome supports native AppContainer Network Service/Process sandboxing if you assign Chrome.exe the right privileges with icacls . /grant "*S-1-15-2-2:(OI)(CI)(RX)" . You can then check "chrome:sandbox" page to see if it works. It does for me, but only outside Sandboxie sandbox. With the icacls assignment I mentioned AppContainer provides both - Network Service/Process sandbox and Untrusted level of integrity. With Sandboxie you only get Untrusted level of integrity, but not Network Service/Process sandbox. Is it possible to combine the two?

Can Sandboxie provide Network Service/Process sandbox like AppContainer? Just FYI, you don't need UWP for AppContainer to work. You don't even need Windows Sandbox. I remove almost everything UWP-related from Windows and don't enable any Hyper-V features, but I do enable Hypervisor for CPU and use Virtualization Based Security.

I don't even know what AppContainer Network Service/Process isolation does, but I don't think its the same as Sandboxie's firewall approach. I think AppContainer sandboxes Network Service/Process itself . It is very confusing with Microsoft: Hypervisor, Hyper-V, VM, Window Sandbox, Virtualization Based Security, AppContainer (same as Windows Container, I guess?)

[ghost]

Just another thing to add is that launching Chrome sandboxed with "--enable-features=RendererAppContainer" flag results in all of Chrome's extensions crashing and Chrome not loading websites. Looks like Win32 container features in Windows 11 are not compatible with Sandboxie even for non-UWP software. Does Sandboxie provide any GPU-related isolation?