Microsoft since Windows Vista strongly recommends to use what's called a Limited User or Standard User account for regular use of your desktop PC.(
Why use a standard user account instead of an administrator account? )
This a major security feature that follows the
Principle of least privilege . Basically, under this account, the user and all the applications he launches are very limited in what they can do. They can't, for example, modify the system settings, the windows registry, other programs settings (like your browser default search engine, or toolbar, etc...). As you can see, this prevents most of what malware do, without even an anti-virus.
In practice, if you're under a standard user (without administrator privileges) and you click something something suspicious in your browser, Windows will prevent it and give you a warning. You'll be presented with a prompt for your administrator password. At this point if you type the password and allow it, this is on you...
This kind of security can be very annoying when you set up a fresh new installation of Windows since you get constant prompts for your administrator's password which is why many users don't follow Microsoft recommendations (and probably why you put UAC so low). But after this phase, it is mostly silent and is in practice only seen when installing new software or when you encounter malware.
UAC is a response by Microsoft to the hassle of using a standard account : you can still use an administrator account (which is the norm under windows and is part of the culture of its customers) but get warnings when something tries to access restricted parts of the system. I still recommend creating a new account as limited user though. Unless you constantly install new software, this is in my opinion the safest course. Opinions may vary on this though.
More info :
UAC and Virtualization - some infos for all | Wilders Security Forums
Anyway, as you can see a standard user account covers much of what sandboxing applications do : it limits the damage of any untrusted applications. At some point though, when you tell the system that you trust an application, you give them a lot of leeway to do whatever they want. It is very black and white. Untrusted can't do much, Trusted can do almost anything. That's when sandboxing can be nice since it allows you a finer control of what the applications can do. But for most users I don't think this is necessary (and as you'll see below, sandboxing is already implemented internally in some browsers). You should also note that malware can in some instance detect that they are run sandboxed or virtualized and will just stay stealthed and don't do anything, so you can never be sure something is safe by testing it this way.
Here are my recommendations for a secure PC:
* Principle of least privilege: use a standard user account for day-to day use.
* Update regularly. This is very important, automatic updates help with that but can be very annoying when installing at the wrong moments. Windows Update is of course the first to check, but all your other applications and especially Internet facing ones (browser, email, messaging, etc..) are crucial too. This is to prevent
Exploits.
* Use a firewall and block all inbound traffic. The windows firewall does that perfectly by default so make sure it's enabled.
* Use an anti-virus. I'm fine with Windows Defender but a lot of other choices exist. This isn't the be-all and end-all of your security contrary to what AV developers woud like to make us believe, only one of the layers to protect you.
* Disable Autorun. IIRC by default in windows 8, autorun is disabled on USB/CD. If it's not, turn it off, you don't want anything to execute without your consent, since USB sticks have become a major mean of malware transmission. More info :
How to disable the Autorun functionality in Windows
* Install and use EMET (
Download Enhanced Mitigation Experience Toolkit 5.0 from Official Microsoft Download Center). This is a great tool by Microsoft to prevent most current exploits. Be careful with the options though, and use the recommended settings if you don't know what you're doing. More info :
Quickly Secure Your Computer With Microsoft?s Enhanced Mitigation Experience Toolkit (EMET)
* Be careful with what you authorize to run on your PC. Use google to check that anything new you install is safe. Check the
Digital signature of the executables. Use additional virus scanners than your main one, I recommend
VirusTotal which simplifies this process.
* A lot of people will say that you should be careful where you browse on Internet, and it's true... up to a point. Be aware that a lot of malware come from visiting legit and very popular sites, not underground ones. The main culprit are ads which are hosted outside the official sites and can lead to malicious programs or sites. This is why the choice of your browser, no matter if you have safe browsing habits or not, should at least partly be based on how secure it is it is.
Chrome (
Sandbox FAQ - The Chromium Projects) and IE (
Enhanced Protected Mode - IEBlog - Site Home - MSDN Blogs) implement internal sandboxing, and at least with Chrome it is in theory safer than Sandboxie against exploits and
Drive-by downloads. Firefox lacks this (although Mozilla is working on it :
https://wiki.mozilla.org/Electrolysis), but some of its extensions are very good for security like AbBlock and NoScript.
* Disable/Uninstall what you don't use. This is to lower your
attack surface. The more applications/plugins/services/protocols/etc... you have running, the more vulnerable you are. In theory, you should disable everything you don't need. In practice, I recommend disabling/uninstalling Java. Flash is another big offender and if you can I think you should disable it too. At least you should enable the Click To Play Plugins feature in your browser which allows to you selectively run plugins when you want, not all the time.
* Finally : Backup. Backup. Backup. Check for disk-imaging/cloning solutions, free ones exist and speed up the process of restoring your system. Don't rely on anti-virus for clearing your PC when infected but restore to a clean state from your backups.