Hi Budi,
By default, Windows Sandbox does inherit network connectivity from the host through a Hyper-V virtual switch. Microsoft documents that networking is enabled by default, and explicitly warns that this can expose untrusted applications running in the sandbox to the internal network. The sandbox receives its own virtual NIC, but it can still reach network resources accessible from the host.
If your analysts are opening potentially malicious URLs, I would not rely on the default configuration. The safest approach is to launch Sandbox with networking disabled using a .wsb configuration file:
<Configuration>
<Networking>Disable</Networking>
</Configuration>
Save it as NoNetwork.wsb and launch Sandbox from that file. This completely removes network access from the sandbox session.
For enterprise-wide enforcement, configure the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Sandbox > Allow networking in Windows Sandbox and set it to Disabled. This prevents users from launching a network-enabled sandbox regardless of local configuration.
If analysts must browse live phishing URLs, Windows Sandbox alone is not an ideal containment boundary because the default NAT networking can still reach internal resources available from the host network. In that scenario, use a dedicated isolated VM network, a separate analysis VLAN, or a cloud-based detonation environment rather than a standard Windows Sandbox instance connected to the corporate LAN.
Try this article: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
Harry.