Email attachments don't open themselves. The user has to choose to open it and in the worst case (curiosity killed the cat) open it directly from the email, not save to hard disk first and pre scan it.
This is further compounded if you A) don't know who sent the email or B) if from a known sender (can be faked), is it something they would do or is it expected. Basically don't open attachments or click on links in unsolicited emails.
The majority of the so called driveby downloads require a degree of user complicity for it to arrive, mostly that would be achieved by social engineering, tricking the user to click/accept the thing.
Both of the above are helped with a degree of common sense and scepticism, don't trust/confirm.
This is why I also use firefox with the NoScript (and RequestPolicy) add-on, as that stops javascript being used to run a script or have a script run from a 3rd party site (cross site scripting). This prevents the greatest majority of driveby downloads, but there is no getting away from the fact that the user is often the weakest link in the chain.
You could go a step further and use a limited user account instead of one with admin privileges (even if you have UAC) as that also limits the potential harm that it can cause should get past your security.
As I have always said, if all else fails have a robust backup and recovery strategy. With all of that in place I find little need for sandboxie.