Example Windows Sandbox conf (wsb)

<Configuration>
<AudioInput>false</AudioInput>
<VideoInput>false</VideoInput>
<MemoryInMB>8192</MemoryInMB>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\USER\Downloads</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>netsh advfirewall firewall add rule name="SearchHost.exe" dir=out action=block program="C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="WebExperienceHostApp.exe" dir=out action=block program="C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="SystemSettings.exe" dir=out action=block program="C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="StartMenuExperienceHost.exe" dir=out action=block program="C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="powershell.exe" dir=out action=block program="C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="powershell.exe" dir=out action=block program="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="explorer.exe" dir=out action=block program="C:\Windows\explorer.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="hh.exe" dir=out action=block program="C:\Windows\hh.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name="rundll32.exe" dir=out action=block program="C:\Windows\System32\rundll32.exe" enable=yes</Command>
<Command>netsh advfirewall firewall add rule name=deny172t dir=out protocol=tcp localip=172.21.32.0/20 remoteport=1-21,23-444,446-3388,3390-65535 action=block</Command>
<Command>netsh advfirewall firewall add rule name=deny172u dir=out protocol=udp localip=172.21.32.0/20 remoteport=1-52,54-1023 action=block</Command>
</LogonCommand>
</Configuration>

enable the feature:

dism /online /Enable-Feature /FeatureName:Containers-DisposableClientVM