How can I set up my Windows PC and/or network, so that none of the programs on my actual PC have internet access, but i have a sandbox/VM, with a browser, which has internet access, but has no access to the actual files. Essentially, i want to slice my pc in half. The offline part has access to documents, but no internet connection. The other is a sandboxed web browser, which has internet access, but can not read or write the offline part of the PC.
In other words, I want a sandboxed web browser, and then block every program's internet access outside the sandbox. Even windows update. I would not need "security updates" anyway. I think this way one could reach nearly 100% security for sensitive documents.
Also welcome answers/comments regarding this kind of defenses are not worth it.
edit: The offline part would be mostly used, so it would be better to somehow allocate the resources to that. i don't know how much performance is lost by each virtualization technology, but in my experience, so far, it's a lot.