> . For example, "this application should *never* access the internet" or "this application only needs access to these libraries and this particular data directory,"
You can already using tools like hosts.{allow|deny} and chroot... oh, you mean on Windows...
> Or only an admin can flag/unflag a file as executable and executables are immutable.
Even Windows does this, so I'm not sure what you are on about.
> Would anyone else find VMS' version controlled files being on by default handy
Not really. Windows 7 & OS X does this and I've never found it useful - everything is checked into source control anyway. Similar tools exist for *nix, but I've never felt motivated enough to try them. My solution is put everything important (including /etc) into subversion which has the added advantage of supporting branching, labels and so on.
> That might be a little more interesting than a new gui.
Quite.