Sandboxing a virtual machine under Virtual PC

Michael asked the following question about sandboxing a virtual machine. I thought it might be of general interest, so decided to post the answer, which Ben Armstrong, our resident Virtual PC guru has provided (

Question: I’d like to use a virtual machine as a sandbox which permits the user to do “ugly” things in IE without damaging the host OS. Therefore, it is my interest to block any means of communication between host and guest, including drag and drop, network access, etc.
1. Do you consider Virtual PC appropriate for this?
2. How can I disable drag and drop?
3. How can I disable guest access to the host without limiting Internet access?

Answer (thanks Ben!): Yes – Virtual PC 2004 would be appropriate for this. To disable the integration features under a Windows 2000 or Windows XP virtual machine, you just need to disable the ‘Virtual Machine Additions Services Application’ and ‘Virtual Machine Additions Shared Folder Service’ services in the guest OS. To disable host access – but leave Internet access in place – use Shared Networking.

Comments (2)

  1. CN says:

    Isn’t it quite unsafe to do this in the guest os? I mean, really ugly stuff could possibly re-enable those services?

    Is there any way to disable it at the host end?

  2. Hi There,

    No – there is no way to disable this on the host end today (this is something we should do). However there are a couple things to know:

    1) If you want you can remove the files that back the services

    2) The interfaces for these features are designed such they can only be accessed from kernel mode code, which means that if you run the guest as a non-Administrative account, then there will be no way to access these

    3) The interfaces for integration are all designed to require host side interaction. Nothing can be started solely from the virtual machine environment.