Computer system protection to protect against harmful data from an
external computer network (60) (e.g. the Internet) involves supplying
incoming data (62) to a software checker (64) as the data enters a
computer system (not shown). The checker (64) routes any suspect data
(66) to an encryptor (68) which encrypts it to render it unusable and
harmless. Encrypted data passes to a computer (72) in an internal network
(74) and having a desktop quarantine area or sandbox (76) for suspect
data. The computer (72) runs main desktop applications (78) receiving
encrypted data (70) for storage and transfer, but not for use in any
meaningful way because it is encrypted. Equally well applications (78)
cannot be interfered with by encrypted data (70) because encryption makes
this impossible. On entry into the sandbox (76), the encrypted data (70)
is decrypted to usable form it then becomes accessible by software (204)
suitable for use in the sandbox (76) subject to sandbox constraints.