Hardware-based virtualized security isolation

What is claimed is: 1. A method performed by a host operating system executing on a host device, comprising: detecting that an application that is running on the host operating system is attempting to access a network resource that is accessible to the host device via a network; in response to detecting that the application is attempting to access the network resource, determining whether the network resource is an untrusted network resource; in response to determining that the network resource is an untrusted network resource: activating a container that is isolated from the host operating system, the container being configured to run a version of the application; and passing the untrusted network resource to the container thereby allowing the version of the application running in the container to access the untrusted network resource; and in response to determining that access to the untrusted network resource has ended, suspending the container. 2. The method as recited in claim 1 , further comprising allowing the version of the application running in the container to access one or more additional untrusted network resources and preventing the version of the application running in the container from accessing trusted network resources. 3. The method as recited in claim 1 , wherein detecting that the application is attempting to access the network resource comprises detecting that the application is attempting to access a file or another application and wherein allowing the version of the application running in the container to access the untrusted network resource comprises allowing the file or the other application to be opened within the container. 4. The method as recited in claim 1 , further comprising receiving at least one policy that includes at least an enumerated list of trusted network resources, wherein determining that the network resource is an untrusted network resource comprises comparing the network resource against the enumerated list of trusted network resources, the enumerated list of trusted network resources being identified based on one or more of a file type of the network resource, a network location associated with the network resource, or an application type that is attempting to access the network resource. 5. The method as recited in claim 1 , wherein the container is activated for a user that is logged on to the host operating system, the method further comprising determining that a different user is logged on to the host operating system and activating, for the different user, a different container that is isolated from the host operating system and the container. 6. The method as recited in claim 1 , further comprising determining that the application is attempting to access the network resource over an untrusted network interface and, in response to determining that the application is attempting to access the network resource over the untrusted network interface: restricting network communications for the application in the host operating system to a virtual private network (VPN) interface; allowing the version of the application running in the container to perform network communications over the untrusted network interface; and indicating to a network stack of the container that network communications for the container are isolated to the untrusted network interface. 7. The method as recited in claim 1 , further comprising intercepting a response to a web proxy prompt for user credentials and inserting one or more user credentials into the response to the web proxy prompt without communicating the one or more user credentials to the container. 8. The method as recited in claim 1 , further comprising scanning one or more untrusted network resources that are accessed in the container and using antivirus software in the host operating system to assign one or more risk levels to the one or more untrusted network resources and quarantine, clean, or delete one of the one or more untrusted network resources if the assigned risk level indicates that the untrusted network resource is malicious. 9. The method as recited in claim 1 , further comprising monitoring activity associated with the untrusted network resource in the container and updating local policy at the host operating system based on the monitored activity. 10. The method as recited in claim 1 , wherein the application is a web application and the untrusted network resource is a web page. 11. The method as recited in claim 1 , wherein the container is activated for network resource communications over a first network communication interface, the method further comprising activating a second container for network resource communications over a second network communication interface. 12. The method as recited in claim 1 , further comprising: detecting that the application is attempting to access an additional network resource; activating the container in response to determining that the additional network resource is an untrusted resource; and passing the additional network resource to the container thereby allowing the version of the application running in the container to access the additional network resource. 13. The method as recited in claim 1 , further comprising detecting an update to the host operating system and, in response to detecting the update to the host operating system, deleting the container and creating a new container that reflects one or more updated binaries of the host operating system. 14. The method as recited in claim 1 , wherein determining that the network resource is an untrusted network resource is performed based on one or more of a file type of the network resource, a network location associated with the network resource, an application type that is attempting to access the network resource, anti-virus scanning of the network resource, or based on consulting a cloud-based service that maintains a list of malicious network resources. 15. The method as recited in claim 1 , wherein the container is activated for a user that is logged on to the host operating system, the method further comprising activating one or more additional containers for the user and preventing other users of the host operating system from accessing the container and the one or more additional containers. 16. The method as recited in claim 1 , further comprising receiving a request from the version of the application running in the container for user credentials and providing a pseudo-authentication to the version of the application running in the container that includes information proving ownership of the user credentials without providing the user credentials to the container. 17. The method as recited in claim 1 , further comprising identifying a local network and emulating the local network for the container. 18. The method as recited in claim 1 , further comprising identifying a local network and emulating the local network behind a network address translator (NAT) for the container. 19. The method as recited in claim 1 , further comprising scanning for and sharing Domain Name System (DNS) and HyperText Transfer Protocol (HTTP) information between the host operating system and the container. 20. The method as recited in claim 1 , further comprising tracking one or more configuration changes performed by the version of the application running in the container. 21. The method as recited in claim 1 , further comprising obtaining telemetry from the container and analyzing container activity based on the o