3. Many sandbox products cover only a small subset of user applications. The vast majority cover only Internet Explorer, maybe Outlook Express. Most don’t cover other browsers (and contrary to popular opinion, all browsers need protection), third-party e-mail clients, IM, or other forms of Internet connectivity. Why they don't protect all Internet connection traffic is a mystery to me.
4. All sandbox products prevent some small percentage of legitimate applications from installing or running. At worst, many can't tell the difference between a Microsoft IE patch and a malware program; they simply prevent both by default. At best, they prevent most malware programs at the risk of higher false positives.
At the other end of the spectrum, some sandbox products are so secure that they don’t provide enough flexibility for consumers and end up being rewritten. For example, Java's first security model was so secure that legitimate applications couldn't be run or store data permanently. Sun had to modify the original security model to be more flexible, which added complexity, creating new vulnerabilities and bugs. To this day, many Java developers still use the old model, which doesn’t allow the necessary freedom that most enterprise applications need to be viable.
5. You would think that security vendors would spend an inordinate amount of time trying to ensure that their products use secure coding principles, but you would be wrong. Many, if not most, of these products contain their own vulnerabilities -- buffer overflows, bugs that crash the system, hard-coded passwords, and so on. You end up trading one set of bugs for another. Although the program's buffer overflow vulnerability is less likely to be exploited than IE's, of course.
6. Most of these security add-ons do not have enterprise deployment and management tools. If the virtualization application isn’t updated, is the same amount of protection still there, or has a new hole opened up?
7. Virtualization applications also complicate support and troubleshooting events. When the underlying OS or app is updated, the sandbox or virtualization product often has to be updated as well. For example, say you install IE 7 or Firefox 2.0 and some previously functioning application or Web site no longer works. Is it the new browser or is the third-party security app not working with the browser?
So, although sandbox or virtualization applications provide additional security, don't begin to believe they are a panacea. Nothing beats a more secure application and OS.