If the option is enabled, then any non-trusted website that the user visits will be displayed and run in a virtual container, and all processes used by the browser to display the contents of the page are walled off from the rest of the device.
When the window or tab to that site is closed, the virtual container is destroyed, so even if the page itself, or some combination of user actions caused malicious software to be installed, it would only reside in the virtual container, and be destroyed as soon as the window or tab was closed.
The biggest downside to this approach is that a user has to type in his or her username and password at every visit. Checking the “remember me” box on a non-trusted website would store the information in the virtual container, which of course, would be destroyed at the end of the session and not truly saved.
Of course, a feature exists that allows IT staff to create a whitelist of trusted sites, which can be modified by anyone with the appropriate security access. Any site on this list would run as normal, circumventing the protection offered by the Application Guard.
It’s not a perfect solution, and it may not be right for every business or every user within a given business. But for government agencies, and any company operating in the health care or financial sector, this is solid gold. It is an added bit of security that doesn’t require any special action by your IT staff, and doesn’t take much to manage, and that’s welcomed news indeed.