NTFS: Deny all permissions for all files, except where explicitly added
Solution 1:
A couple things to keep in mind:
Disable bypass traverse checking for that user.
Explicit allows take precedence over inherited denies.
I would not recommend altering the Authenticated Users or Users security groups.
Solution 2:
Give a deny to that user at the root of the drive for exerything except "Traverse Folder" and then grant an explicit allow where you want them to be able to read. Generally speaking, removing Authenticated Users from Users isn't a good idea.
Solution 3:
I don't think this is the right way to approach this.
What you should really do is set ACLs on confidential data you have (eg. if users have home folders on this computer, you should change its ACL so that only that user and administrators are granted any access at all on it).
Solution 4:
In the end I went with the "excessive" solution:
icacls c:\* /T /C /deny MyComputer\SandboxUser:(OI)(CI)F
This adds deny entries to all files and directories. Then I used Process Monitor to see what permissions I have to change manually to let the application run.