Microsoft says that while other browsers are “sandboxed” away from security-sensitive PC areas, they “still provide a pathway for malware and vulnerability exploits.” By contrast, Application Guard uses a hardware container to completely isolate Edge from the rest of the PC.

The system is only available on Windows 10 Enterprise for now, so administrators will need to choose sites that do and don’t run inside Application Guard. When it’s enabled, malware can’t penetrate the protective VM “box” around Edge to access the rest of the system. “Even if an untrusted site successfully loads malware, the malware is unable to reach beyond the isolated container to steal data or permanently compromise devices or the network,” Microsoft wrote.

Running Edge in a virtual machine will slow it down a bit, but Microsoft says it uses the minimum resources necessary to keep it light. The other hassle is that an Application Guard-enabled session won’t save your cookies or other data, because closing the browser completely wipes all memory of the session. Those things mean that, for now, the VM-protected Edge system isn’t quite ready for non-enterprise users just yet. However, in an age of constant hacking, a browser that isolates your system from danger seems like an idea whose time has come.