For sure use a sandbox when online.
I use Sandboxie instead of a sandbox that comes with the AV or Firewall.
It can be used to test install programs as well but I use a VM instead.
Oracle Virtualbox is a none invasive VM.
I use Comodo firewall with its HIPs set set to Paranoid mode once it has learned (written its own rules for) how my system is generally used.
It naturally also has strong control over what can use the internet.
When allowing/denying rules from the popup windows for a new application, its wise to edit the rules to make sure they reflect exactly how you want it to work.
Use Peerblock to block IPs or areas of the internet you dont want your PC to access.
Or set it to block everything except where you say is ok.
It doesnt handle IPv6.