When you remove administrative rights for applications using the Remove Administrative Rights action, there is an advanced feature that allows you to apply restricted Security Identifiers (SIDs), which further restricts access to securable objects.
What is a Restricted SID?
A Restricted ID is an access token that modifies a user's access to securable objects and controls a user's ability to perform various system-related operations on the local computer.
When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricted SIDs. Access is granted only if both access checks allow the requested access rights. (For more information about restricted SIDs, go to the Microsoft Developer Network Library at https://msdn.microsoft.com/en-us/library/windows/desktop/aa379316(v=vs.85).aspx.)
...
What is this thing called SID?
[EDITING] Application Sandboxing