I'm running a sandboxed application as a local user. I now want to deny almost all file system permissions for this user to secure the system, except for a few working folders and some system DLLs (I'll call this set of files & directories X below).

The sandbox user is not in any group. So it shouldn't have any permissions, right? Wrong, because all "Authenticated Users" are a member of the local "Users" group, and that group has access to almost everything.

• I thought about recursively adding deny ACL-entries to all files and directories and remove them manually from X. But this seems excessive.

• I also thought about removing "Authenticated Users" from the "Users" group. But I'm afraid of unintended side-effects. It's likely that other things rely on this. Is this correct?

Are there better ways to do this? How would you limit the filesystem permissions of a (very) non-trustworthy account?