More advanced control of user networking?

[Anders Pitman]

I realize this is likely a niche request, but haven't been able to find anything in the docs so figured it was worth at least asking.

I'm working on running a server application on a Windows 10 laptop using QEMU for sandboxing. I want to allow the guest to access the public internet, but mostly prevent access to private address ranges (ie 10.0, 192.168, etc), except for a few things like accessing a samba share to share directories with the host and possibly communication with other VMs.

The goal is to protect the host network from the guest in case the server application is exploited.

I'm pretty sure this would be achievable with a TAP device using whatever the Windows equivalent of iptables is, but is such a thing possible with user networking?

I want to avoid a TAP device because a) TAP devices seem to require additional software on Windows hosts, and b) I don't want to require admin privileges just to accomplish sandboxing.