In the 1990s, a colleague took me to “Snake Alley,” Taipei’s red-light district, for a night of drinking with “entertainers” and some of their very muscled, serious friends. A good time was had by all, fortunately. Still, I was young, dumb, and lucky that I didn’t end up in any trouble.
Some parts of the internet are like that, too. If you think you’ll be potentially surfing into a risky internet neighborhood — a knockoff shopping site, a little-known streaming service, or somewhere you’re just not entirely sure is legit — and you have a spare laptop lying around, you can always repurpose it to become what I call a “Paranoid PC”: a laptop hardened for additional privacy and security.
In my case, I was able to do it for “free.” But it does require a version of Windows 10 or 11 that’s not that common, and an existing VPN subscription. I am also not claiming that this PC configuration will protect you from any and all malware and prying eyes, but it will certainly help.
Putting together a Paranoid PC
- What you’ll need: a VPN subscription and a laptop (16GB of RAM preferred) running Windows 10/11 Pro
I’ve repurposed an older laptop to create my Paranoid PC. You can use your day-to-day PC for this purpose, but it also potentially exposes you to greater risks if anything bad slips through the security screen. In any case, it’s a good idea in almost any case to use an account without administrator access for additional security, and possibly a local account at that.
The key, though, is to have a PC set up with Windows 10 or 11 Pro because of a feature it offers: Windows Sandbox.
Sandbox has been around for five years (!), and I still feel like it’s one of the most underappreciated features within Windows. Sandbox creates a virtualized environment with minimal setup; essentially, it’s a Windows PC within your PC, protected by a “moat” that isolates it from your PC. Once you close Sandbox, the entire “PC” and anything it has within it is erased, permanently. That includes any malware that may have wormed its way in.
Sandbox is an optional feature within Windows 10 or 11 Pro, and to access it you’ll need to turn it on. To enable it, you’ll need to go to the Windows Features control panel, which you can find by searching for Turn Windows features on and off within Windows Search. (We have a deeper dive into Windows Sandbox, here.)
Once you enable Sandbox, Windows will update itself with the appropriate features, reboot, and open up Windows again. You’ll need to launch Windows Sandbox via the Start menu or the Search box.
Sandbox essentially creates a PC environment within a window, but it’s a generic PC. You don’t need to log in, and please don’t! We want this PC to be as quiet and unobtrusive as possible.
PCWorld
You can expand Sandbox to the dimensions of your screen, or leave it windowed. It’s up to you.
Install the Brave browser
I’ve argued in the past that Sandbox provides a powerful level of security and privacy, just by its lonesome. But we’re going to go further. What Sandbox allows you to do is use the built-in version of Microsoft Edge to download other software. And while Microsoft Edge is no slouch in the privacy department, we’re going to use Brave’s browser to provide an additional level of privacy and security.
Mark Hachman / IDG
Brave started off as a very privacy-oriented browser, and still is. Its reputation has soured a bit because of its ties to cryptocurrencies, but it’s still a good choice to download for surfing the deeper reaches of the web. If you want to use another browser, though, (or just Edge) you can. Just make sure to configure it the way you want, adding any plugins you choose. I still wouldn’t log in or otherwise identify yourself, however.
Install a VPN
I use a VPN because, well, it’s none of your business. And that’s the whole point. VPNs can be used to access content in other countries, avoid the eyes of authoritarian governments, privately chat with friends, and so on. It’s akin to locking your door and drawing your shades, and most people do that in the real world.
Mark Hachman / IDG
Running a VPN won’t necessarily protect your Sandbox PC from malware, but it does add an additional layer of anonymity protection. Some VPNs also include upgraded antivirus, too. (Sometimes Brave can get a tad too aggressive in blocking downloads and scripts. In that case, go ahead and use Edge to download a VPN instead.) You might be able to get away with running a VPN outside Sandbox, but just in case I installed it from within the Sandbox environment.
Which VPN should you use for privacy? You can choose from either a less powerful free VPN or one of our more powerful paid recommended VPNs. I prefer a VPN that offers generous device connections to allow me the freedom to install it on multiple laptops, but there are plenty to choose from. VPNs are a category where you get what you pay for, though.
Surf safely through the stormy seas
Once you’ve installed Sandbox, Brave, and a VPN, you’re done. You can begin exploring some of the shadier parts of the web.
Feel free, of course, to install other software. If you want to download a free or premium antivirus package for additional security, go for it. When you think about it, anything bad is going to have to break out of the Brave browser’s sandbox, then get by the antivirus, then crack Windows Sandbox. That’s not impossible, but pretty unlikely.
There are a couple things to keep in mind, though. Pay attention to what environment your cursor is in. If you absent-mindedly open Edge in the standard desktop environment, that browser window lacks all of your Sandbox protections, and probably the VPN’s as well. It’s part of the reason I recommend Brave: Not only is it designed for privacy, but it’s not a browser many people use. Brave signals me that I’m within Sandbox’s protective embrace.
Mark Hachman / IDG
Brave also blocks ads and popups — which, in certain areas of the web, can be an avenue to malware. We still recommend that you surf safe and do not go clicking willy-nilly on anything you see. But, if you do download something malevolent, it should be cut off by Sandbox.
In the worst case, where Sandbox’s “PC” becomes noticeably infected, you can simply close Sandbox down by closing the window. You’ll receive a notification that this will erase everything within the Sandbox environment, but that’s okay. All you need to do is open a new version of Sandbox, which will be pristine and untouched. You’ll then need to re-download Brave, the VPN, and any other software, however. And we’d recommend running an antivirus scan on your main Windows installation just to be safe.
Sandbox does have one other feature worth knowing about: its File Explorer, which is sort of like an airlock. If you do happen to download something involuntarily, it will receive the normal protections from Windows Security. But anything you voluntarily download will land in the Sandbox Downloads folder.
Mark Hachman / IDG
You’d be well advised to double-check the file by right-clicking on it. (In Windows 11, go to “Show more options” and then “Scan with Microsoft Defender” or another antivirus program. Or drop it in VirusTotal.com to check against multiple online antivirus programs.)
Just check it (or run it) from within Sandbox! From there, you can cut and paste it into your main PC operating system.
Security professionals, of course, will have more sophisticated protection available to them. But for the average surfer, this provides some strong additional protection. Think of this “Paranoid PC” as a bodyguard in a dark alley, with a big SUV waiting to whisk you back to the real world if things go bad.
