I've had this idea "Run in Sandbox" for CyberCapture locked files until the analyzed app gets a verdict from CyberCapture.
What about Hardened Mode, particularly Aggressive which is pure whitelisting? This way you can enforce whitelisted apps only, but those that aren't whitelisted could give user option to "Run in sandbox" or "Exclude" them (see my mockup in attached image, I haven't changed the text though). Which would be especially useful for users who have their systems administered by someone else and they have Hardened Mode (Aggressive) locked with password. In such cases, Exclude option would be password protected, but "Run in Sandbox" wouldn't be. This way users can still safely run stuff that isn't whitelisted. Which is a double win. It brings the convenience and security since they will be slightly less restricted, but still secure at the same time.
Again, like with CyberCapture idea, all the tech is basically already there. You just have to add a selection in the popup and connect it with the already existing sandboxing technology used by DeepScreen (now called CyberCapture in settings). Should be rather easy to implement.
