Re: Windows sandbox
Ok... first of all, Sandbox is an insider feature which means that things will and DO go wrong. It's not meant to be reliable software, it's meant to be bleeding edge. Think of it as the alpha and beta versions of times past.
Second of all, security fixes from release builds generally come into sandbox builds. The security fixes are tested against release and if they're tested against insider as well, it's a bonus.
Internet Explorer is an application built on top of many Windows APIs including for example the URL engine for things like fetching and caching web media. It's like libcurl. Just like libcurl, wget, etc... there are always updates and security patches being made to it. So, when making updates and security fixes to the web browser, if fixes need to be made to the underlying operating system as well, they are.
That said, I've had fixes to IE break my code many times. This is ok. I get a more secure and often higher performance platform to run my code on. It's worth a patch or two if it keeps my users safe.