Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Remarks Pg. 1, filed 02-23-2021, with respect to claim objection have been fully considered and are persuasive.  The claim objection is withdrawn. 
Applicant's arguments filed see Remarks Pg. 1, filed 02-23-2021 regards to double patenting have been fully considered but they are not persuasive. The examiner respectfully disagrees with the attorney’s arguments hereafter ‘arguments’. Even when a plurality of VMs are instantiated, by the time the request is executed at the appropriate security zone(s), they are already executing and it is obvious to check for compliance with security policies of different VMs and causing the request to be redirected and executed according to the patented claims of 10699004 and the combination of independent claims and dependent claims 1, 5, 6, 11, 12, 16 and 17 of pending application. Therefore the amendments do not overcome the rejection.
Applicant's arguments filed see Remarks Pg. 1, filed 02-23-2021 regards to claims rejection under 35 USC 103 have been fully considered but they are not persuasive. Arguments recite “Banga appears to teach creating new, previously not executing virtual machines based on a template for virtual machine creation that is selected in response to receiving a request to execute an application… Banga is silent on determining an appropriate security zone for execution of user request, and so for this claim element it cites Grec, col. 12, lines 46-48. However, these lines state: The installation and start of any application will define an appropriate VEE, in which context this application should be installed and run, as well as appropriate communication proxies. It should be appreciated that there is no determination of anything with regard to security. As such, Grec does not teach that for which it is cited, and so this claim element is also lacking from the combination as a whole.” The examiner respectfully disagrees with the arguments. First, the arguments have been made on the amended claims. Second, when a request is to be serviced by an appropriate VM then by the time the request is serviced, it is well known to person of ordinary skilled in the art, that the VM should be ‘already running’. Henceforth, there is nothing novel or non-obviousness in this recitation that the VMs are created or instantiated or cloned before the request is processed. When they are instantiated using templates with appropriate security rules and policies itself they are up and already running and configured for a request to be processed. See Banga col. 4 lines 33-44: different secure zones namely corporate, personal and/or general web browsing zones are each realized and corresponds to one of existing and executing VMs which are dedicated to those respective zones and enables to run corporate applications in corporate zone, to execute personal programs and store documents in personal zone and to browse web from third zone and Col. 8 lines 13-25: When a user requests a process to execute or (col. 8 lines 46-54) a process requests access to a file system, it is intercepted by the VM0/hypervisor and (col. 16 lines 7-55, abstract) based on the type of activity and a number of factors, the level of access policy is determined. Banga also correctly teaches based on the templates appropriate VMs are executed where the applications are processed with those VMs as secure zones… (col. 16 lines 37-40) VM executing a reputed executable code, the VM having the level of access policy and rule is determined and granted access to greater resources… Cols. 14, 15 lines 55-67, 1-15: one or more templates are used to configure security policies for VM with characteristics and/or operational parameters which specify the rules and policies to complete a user's request (Col. 16 lines 8-10)).. As for Grec it col. 3 lines 18-22: Sets of security rules and/or access rules corresponding to different levels of security can be implemented, with the sets of security rules being changed using configuration application representing slider image on the host desktop or on the window related to VEE and col. 14 lines 15-27: system checks if there is another VEE already running that is compatible with this application based on security policies (col. 17 lines 12-16). If there is one, then the application is executed in that VEE (also ref. col. 12 lines 27-67, col. 13 lines 1-6). See col. 8 lines 48-57: When any process inside VM requests access to the file system of client, it is intercepted and a different process A is responsible for rendering a window depicting the contents of the file system of client. Process A has the option of selectively displaying which contents are available to the VM based on policies. Also the specification paras. [0041-44] recite that the hypervisor instantiates the virtual machines for each secure zone before or prior to processing the request. Therefore the amendments though provide a clarification whether the VMs have been running, they do not overcome the prior arts as the prior arts do teach as a combination that a VM was previously executing while a user/process request is incoming and an application is executed at the appropriate VM configured with security policies after proper checking (MPEP 2141.01 VI).  Same reasoning applies for all the corresponding dependent claims 2 – 10 and 13 – 21 also. The applicant’s attorney was contacted for compact prosecution and for further details see attached PTO-413 – Interview Summary.
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore the rejections under 35 USC 103 is maintained.

Claim Interpretation
In this application according to spec. [0036] security zone and the virtual machines are interchangeably used. The security zone shall be personal or corporate zones. Nevertheless, both are realized by instantiating and executing virtual machines (VMs) by having corresponding security policies for that zone [ref. 0111]. The spec. [0041-44, Fig. 1] recites instantiating VMs by hypervisor which manages those VMs. Therefore it is appropriate to interpret that a request shall be sent to a VM that is instantiated and executing before the request is serviced.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 – 6, 9, 11 – 17 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 – 3, 5, 6, 8, 12, 13, 20 and 21 of U.S. Patent No. 10699004 in view of and Grechishkin et al (US Pub. 8732607), hereafter Grechishkin. 
Instant App. 16541395
Patent #: 10699004
1. A method for seamlessly launching an application in an appropriate already executing virtual machine, comprising: monitoring a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.
2. The method of claim 1, wherein the appropriate security zone is a first security zone, and the executed user request is caused to be displayed in a second security zone on a same desktop display.
rendering a first layer presenting a desktop of the first security zone; rendering a second layer presenting a cropped desktop display of the second security zone; displaying the first layer in its entirety; and displaying the second layer on top of the first layer, wherein any application in the first security zone cannot access any application in the second security zone when displayed on a same desktop.
4. The method of claim 3, wherein rendering the second layer further comprises: maintaining a z-order of windows as set by a user.
5. The method of claim 1, wherein the user request causes a URL redirection.
6. The method of claim 5, further comprising: capturing the user request to access a website on a first security zone, wherein the user request includes at least a URL of the website that does not comply with a security policy of the first security zone; and redirecting the request to access the website to a second security zone, wherein the URL designated in the user request complies with the security policy of the second security zone.
9. The method of claim 1, wherein the user request is executed on an application.
11. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to: monitoring a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; Page 3 of 10USSN: 16/541,395 Docket: HYLT P1385 intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone.
12. An air-gapped endpoint, comprising: a network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the air-gapped endpoint to: monitor a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; intercept the user request and analyzing a level of permission required to complete the user request; determine an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and execute the user request in the appropriate security zone.
13. The system of claim 12, wherein the appropriate security zone is a first security zone, and the executed user request is caused to be displayed in a second security zone on a same desktop display.
14. The system of claim 13, wherein the system is further configured to: render a first layer presenting a desktop of the first security zone; render a second layer presenting a cropped desktop display of the second security zone; display the first layer in its entirety; and display the second layer on top of the first layer, wherein any application in the first security zone cannot access any application in the second security zone when displayed on a same desktop.
15. The system of claim 3, wherein rendering the second layer further comprises: maintaining a z-order of windows as set by a user.
16. The system of claim 12, wherein the user request causes a URL redirection.
17. The system of claim 16, wherein the system is further configured to: capture the user request to access a website on a first security zone, wherein the user request includes at least a URL of the website that does not comply with a security policy of the first security zone; and redirect the request to access the website to a second security zone, wherein the URL designated in the user request complies with the security policy of the second security zone.
20. The system of claim 12, wherein the user request is executed on an application.
monitoring, by a hypervisor, a plurality of security zones, instantiated on the air-gapped endpoint, to detect at least one UX command executed in a first security zone;
determining if the detected UX command triggers a UX function effecting a second security zone, wherein the UX function causes a URL redirection; determining if the UX function to be triggered maintains compliance with a security policy of the first security zone and second security zone; executing the UX function across the first security zone and second security zone; 
capturing a request to access a website on the first security zone, wherein the request includes at least a URL of a website that does not comply with the security policy of the first security zone; redirecting the request to access the website to the second security zone, wherein the URL designated in the request complies with the security policy of the second security zone; and
in response to the execution of the UX function causing, by the hypervisor, rendering of windows of applications executed in the first security zone and second security zone, wherein the windows are displayed on the same desktop display.
2. (Original) The method of claim 1, wherein each security policy defines at least a user interface (UX) policy.
3. (Original) The method of claim 2, wherein the UX policy defines UX functions allowed to be performed by a user of the air-gapped endpoint in a corresponding security zone.
3. (Original) The method of claim 2, wherein the UX policy defines UX functions allowed to be performed by a user of the air-gapped endpoint in a corresponding security zone.
5. (Currently Amended) The method of claim [[4]] 1, further comprising: rendering a first layer presenting a desktop of the first security zone; rendering a second layer presenting a cropped desktop display of the second security zone; displaying the first layer in its entirety; and displaying the second layer on top of the first layer, wherein any application in the first security zone cannot access any application in the second security zone when displayed on the same desktop.
6. (Original) The method of claim 5, wherein rendering the second layer further comprises: maintaining a z-order of windows as set by a user.
8. (Currently Amended) The method of claim [[4]] 1, wherein a detected UX command for launching an application in the second security zone triggers the UX function of displaying windows of applications on the same desktop display.
12. (Original) The method of claim 1, wherein the UX function causes a URL redirection.
capturing a request to access a website on the first security zone, wherein the request includes at least a URL of a website that does not comply with the security policy of the first security zone; and redirecting the request to access the website to the second security zone, wherein the URL designated in the request complies with the security policy of the second security zone.
20.	(Currently Amended) A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for performing user experience (UX) functions on an air-gapped endpoint, the process comprising:
monitoring, by a hypervisor, a plurality of security zones, instantiated on the air-gapped endpoint, to detect at least one UX command executed in a first security zone, wherein the UX function causes a URL redirection;
determining if the detected UX command triggers a UX function effecting a second security zone; determining if the UX function to be triggered maintains compliance with a security policy of the first security zone and second security zone; executing the UX function across the first security zone and second security zone; capturing a request to access a website on the first security zone, wherein the request includes at least a URL of a website that does not comply with the security policy of the first security zone; redirecting the request to access the website to the second security zone, wherein the URL designated in the request complies with the security policy of the second security zone; and in response to the execution of the UX function causing, by the hypervisor, rendering of windows of applications executed in the first security zone and second security zone, wherein the windows are displayed on the same desktop display.

a network card interface; 
a processing circuitry; and
a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: 
monitor a plurality of security zones, instantiated on the air-gapped endpoint, to detect at least one UX command executed in a first security zone, wherein the UX function causes a URL redirection; determine, by a hypervisor, if the detected UX command triggers a UX function effecting a second security zone; determine if the UX function to be triggered maintains compliance with a security policy of the first security zone and second security zone; execute the UX function across the first security zone and second security zone; and capture a request to access a website on the first security zone, wherein the request includes at least a URL of a website that does not comply with the security policy of the first security zone; redirect the request to access the website to the second security zone, wherein the URL designated in the request complies with the security policy of the second security zone; in response to the execution of the UX function causing, by the hypervisor, rendering of windows of applications executed in the first security zone and second security zone, wherein the windows are displayed on the same desktop display.


The patent 10699004 reads on the instant application as recited above but is silent on determining an appropriate security zone for execution of user request and the virtual machines are already executing.
However, the analogous art Grec teaches determining an appropriate security zone for execution of user request and the virtual machines are already executing. (Col. 12 lines 27-67: set of installation/behavior rules allow automatic selection and execution of applications at appropriate Virtual Execution Environment (VEE) in appropriate and respective secure “zones” (col. 13 lines 1-6); col. 14 lines 15-27: system checks if there is another VEE already running that is compatible with this application based on security policies (col. 17 lines 12-16). If there is one, then the application is executed in that VEE).
Cols. 15, 16 lines 67, 1-10).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly 
Claims 1 – 4, 7 – 15 and 18 – 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Banga et al (US Pub. #: 9116733), hereafter Banga and Grechishkin et al (US Pub. 8732607), hereafter Grec.
Claim 1: Banga teaches a method for seamlessly launching an application in an appropriate already executing virtual machine, comprising (Summary, Figs. 2 to 7): 
monitoring a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone; (Col. 6 lines 37-41: the system includes a number of virtual machines (VMs) which are monitored by the root of trust VM0 (Col. 16 lines 5-6, Fig. 5; Col. 9 lines 57-60, Fig. 2) where each of the VMs executes in isolation from others (Col. 4 lines 36-45) detects user requests to run their personal programs or applications); 
wherein each security zone is realized as and corresponds to one of the [already] executing virtual machines; (col. 4 lines 33-44: different secure zones namely corporate, personal and/or general web browsing zones are each realized and corresponds to one of existing and executing VMs which are dedicated to those respective zones and enables to run corporate applications in corporate zone, to execute personal programs and store documents in personal zone and to browse web from third zone);
intercepting the user request and analyzing a level of permission required to complete the user request; (Col. 8 lines 13-25: When a user requests a process to execute or (col. 8 lines 46-54) a process requests access to a file system, it is intercepted by the VM0/hypervisor and (Col. 16 lines 7-55, abstract) based on the type of activity and a number of factors, the level of access policy is determined).
determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; ((col. 16 lines 37-40) VM executing a reputed executable code, the VM having the level of access policy and rule is determined and granted access to greater resources…Cols. 14, 15 lines 55-67, 1-15: one or more templates are used to configure security policies for virtual machine with characteristics and/or operational parameters which specify the rules and policies to complete a user's request (Col. 16 lines 8-10)).
and executing the user request in the appropriate security zone. (Col. 16 lines 42-50: the client requested application is executed in the specific generated VM).
Banga teaches the claimed concept but is silent on determining an appropriate security zone for execution of user request and the virtual machines are already executing.
However, the analogous art Grec teaches determining an appropriate security zone for execution of user request and the virtual machines are already executing. (Col. 12 lines 27-67: set of installation/behavior rules allow automatic selection and execution of applications at appropriate Virtual Execution Environment (VEE) in appropriate and respective secure “zones” (col. 13 lines 1-6); col. 14 lines 15-27: system checks if there is another VEE already running that is compatible with this application based on security policies (col. 17 lines 12-16). If there is one, then the application is executed in that VEE).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Banga to include the idea of selecting an Col. 10 lines 3-8).
Claim 11: Banga teaches a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to (Summary, Fig. 9): monitoring a plurality of already executing virtual machines to detect at least one user request to be executed within a security zone, wherein each security zone is realized as and corresponds to one of the already executing virtual machines; Page 3 of 10USSN: 16/541,395 Docket: HYLT P1385 intercepting the user request and analyzing a level of permission required to complete the user request; determining an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and executing the user request in the appropriate security zone. (Col. 6 lines 37-41: the system includes a number of virtual machines (VMs) which are monitored by the root of trust VM0 (Col. 16 lines 5-6, Fig. 5; Col. 9 lines 57-60, Fig. 2) where each of the VMs executes in isolation from others (Col. 4 lines 36-45) detects user requests to run their personal programs or applications; col. 4 lines 33-44: different secure zones namely corporate, personal and/or general web browsing zones are each realized and corresponds to one of existing and executing VMs which are dedicated to those respective zones and enables to run corporate applications in corporate zone, to execute personal programs and store documents in personal zone and to browse web from third zone; Col. 8 lines 13-25: When a user requests a process to execute or (col. 8 lines 46-54) a process requests access to a file system, it is intercepted by the VM0/hypervisor and (Col. 16 lines 7-55, abstract) based on the type of activity and a number of factors, the level of access policy is determined; (col. 16 lines 37-40) VM executing a reputed executable code, the VM having the level of access policy and rule is determined and granted access to greater resources…Cols. 14, 15 lines 55-67, 1-15: one or more templates are used to configure security policies for virtual machine with characteristics and/or operational parameters which specify the rules and policies to complete a user's request (Col. 16 lines 8-10); Col. 16 lines 42-50: the client requested application is executed in the specific generated VM).
Banga teaches the claimed concept but is silent on determining an appropriate security zone for execution of user request and the virtual machines are already executing.
However, the analogous art Grec teaches determining an appropriate security zone for execution of user request and the virtual machines are already executing. (Col. 12 lines 27-67: set of installation/behavior rules allow automatic selection and execution of applications at appropriate Virtual Execution Environment (VEE) in appropriate and respective secure “zones” (col. 13 lines 1-6); col. 14 lines 15-27: system checks if there is another VEE already running that is compatible with this application based on security policies (col. 17 lines 12-16). If there is one, then the application is executed in that VEE).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Banga to include the idea of selecting an appropriate VEE for execution of user request as taught by Grec thus users need not concern themselves with the exact mechanics of VM and its interactions with the host OS but only the final result-a seamless integration of different OSs (Col. 10 lines 3-8).
Claim 12: Banga teaches an air-gapped endpoint, comprising: a network card interface; a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the air-gapped endpoint to (Summary, Fig. 9): monitor a plurality of already executing virtual machines to detect at least one user request to be executed , wherein each security zone is realized as and corresponds to one of the already executing virtual machines; intercept the user request and analyzing a level of permission required to complete the user request; determine an appropriate security zone in which to execute the user request, wherein the appropriate security zone has the required level of permission; and execute the user request in the appropriate security zone. (Col. 6 lines 37-41: the system includes a number of virtual machines (VMs) which are monitored by the root of trust VM0 (Col. 16 lines 5-6, Fig. 5; Col. 9 lines 57-60, Fig. 2) where each of the VMs executes in isolation from others (Col. 4 lines 36-45) detects user requests to run their personal programs or applications; col. 4 lines 33-44: different secure zones namely corporate, personal and/or general web browsing zones are each realized and corresponds to one of existing and executing VMs which are dedicated to those respective zones and enables to run corporate applications in corporate zone, to execute personal programs and store documents in personal zone and to browse web from third zone; Col. 8 lines 13-25: When a user requests a process to execute or (col. 8 lines 46-54) a process requests access to a file system, it is intercepted by the VM0/hypervisor and (Col. 16 lines 7-55, abstract) based on the type of activity and a number of factors, the level of access policy is determined; (col. 16 lines 37-40) VM executing a reputed executable code, the VM having the level of access policy and rule is determined and granted access to greater resources…Cols. 14, 15 lines 55-67, 1-15: one or more templates are used to configure security policies for virtual machine with characteristics and/or operational parameters which specify the rules and policies to complete a user's request (Col. 16 lines 8-10); Col. 16 lines 42-50: the client requested application is executed in the specific generated VM).

However, the analogous art Grec teaches determining an appropriate security zone for execution of user request and the virtual machines are already executing. (Col. 12 lines 27-67: set of installation/behavior rules allow automatic selection and execution of applications at appropriate Virtual Execution Environment (VEE) in appropriate and respective secure “zones” (col. 13 lines 1-6); col. 14 lines 15-27: system checks if there is another VEE already running that is compatible with this application based on security policies (col. 17 lines 12-16). If there is one, then the application is executed in that VEE).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Banga to include the idea of selecting an appropriate VEE for execution of user request as taught by Grec thus users need not concern themselves with the exact mechanics of VM and its interactions with the host OS but only the final result-a seamless integration of different OSs (Col. 10 lines 3-8).
Claim 2: the combination of Banga and Grec teaches the method of claim 1, wherein the appropriate security zone is a first security zone, and the executed user request is caused to be displayed in a second security zone on a same desktop display. (Banga: Col. 8 lines 42-59, Fig. 7: multiple virtual machines realized as secure zones with its respective programs and user requests are executed on the same display).
Claim 3: the combination of Banga and Grec teaches the method of claim 2, further comprises: rendering a first layer presenting a desktop of the first security zone; rendering a second layer presenting a cropped desktop display of the second security zone; displaying the first layer in its entirety; and displaying the second layer on top of the first layer, wherein any application in the Banga: Col. 4 lines 36-45: different VMs with different programs and applications are run on the same client say, XenClient (Fig. 7, Col. 8 lines 42-59) where the windows of the different VMs are displayed in layers one on top of another and the applications running on those VMs are exclusive to each particular VM).
Claim 4: the combination of Banga and Grec teaches the method of claim 3, wherein rendering the second layer further comprises: maintaining a z-order of windows as set by a user. (Banga: See Fig. 7 shows the z-order of overlapping windows of different VMs).
Claim 7: the combination of Banga and Grec teaches the method of claim 1, wherein executing the user request in the appropriate security zone is done automatically without user input. (Banga: Col. 7 lines 54-57: additional VMs are started "silently" and automatically by (Col. 6 line 21) server, e.g., these VMs are started transparently to the user and without the user having to do anything explicit).
Claim 8: the combination of Banga and Grec teaches the method of claim 1, wherein prior to executing the user request in the appropriate security zone, a request confirmation is sent to a user, and wherein the user request is only executed after receiving an affirmative user confirmation. (Banga: Col. 14 lines 16-18: ensure that files in file system maintained by Legacy VM are not visible to an untrusted code VM without explicit permission from the user. Col. 21 lines 13-43: user's explicit authorization is needed to run applications in designated VMs).
Claim 9: the combination of Banga and Grec teaches the method of claim 1, wherein the user request is executed on an application. (Banga: Col. 13 lines 11-32: user's intended request(s) are executed on invoked applications).
Claim 10: the combination of Banga and Grec teaches the method of claim 9, wherein the application run in the appropriate security zone and is terminated in a non-appropriate security zone. (Banga: Col. 6 lines 61-67, Fig. 5: Any activity which is not previously deemed trustworthy is performed in a separate VM and so all code which may be potentially malicious is executed in its own VM that is destroyed after its immediate use is ended, thereby preventing any malicious code from effecting any lasting change to a computer system. (Cols. 9 lines 32-62 and col. 10 lines 9-67) trusted code run in a Legacy VM shall clone an Untrusted Code VM (UCVM) and run and terminate at the UCVM with restricted file system access. The VMs with appropriate security parameters are dynamically created and destroyed based on the applications that are being run).
Claim 13: the combination of Banga and Grec teaches the system of claim 12, wherein the appropriate security zone is a first security zone, and the executed user request is caused to be displayed in a second security zone on a same desktop display. (Banga: Col. 8 lines 42-59, Fig. 7: multiple virtual machines with its respective programs and user requests are executed on the same display).
Claim 14: the combination of Banga and Grec teaches the system of claim 13, wherein the system is further configured to: render a first layer presenting a desktop of the first security zone; render a second layer presenting a cropped desktop display of the second security zone; display the first layer in its entirety; and display the second layer on top of the first layer, wherein any application in the first security zone cannot access any application in the second security zone when displayed on a same desktop. (Banga: Col. 4 lines 36-45: different VMs with different programs and applications are run on the same client say, XenClient (Fig. 7, Col. 8 lines 42-59) where the windows of the different VMs are displayed in layers one on top of another and the applications running on those VMs are exclusive to each particular VM).
Claim 15: the combination of Banga and Grec teaches the system of claim 13, wherein rendering the second layer further comprises: maintaining a z-order of windows as set by a user. (Banga: See Fig. 7 shows the z-order of overlapping windows of different VMs).
Claim 18: the combination of Banga and Grec teaches the system of claim 12, wherein executing the user request in the appropriate security zone is done automatically without user input. (Banga: Col. 7 lines 54-57: additional VMs are started "silently" and automatically by (Col. 6 line 21) server, e.g., these VMs are started transparently to the user and without the user having to do anything explicit).
Claim 19: the combination of Banga and Grec teaches the system of claim 12, wherein prior to executing the user request in the appropriate security zone, a request confirmation is sent to a user, and wherein the user request is only executed after receiving an affirmative user confirmation. (Banga: Col. 14 lines 16-18: ensure that files in file system maintained by Legacy VM are not visible to an untrusted code VM without explicit permission from the user. Col. 21 lines 13-43: user's explicit authorization is needed to run applications in designated VMs).
Claim 20: the combination of Banga and Grec teaches the system of claim 12, wherein the user request is executed on an application. (Banga: Col. 13 lines 11-32: user's intended request(s) are executed on invoked applications).
Claim 21: the combination of Banga and Grec teaches the system of claim 20, wherein the application run in the appropriate security zone and is terminated in a non-appropriate security zone. (Banga: Col. 6 lines 61-67, Fig. 5: Any activity which is not previously deemed trustworthy is performed in a separate VM and so all code which may be potentially malicious is executed in its own VM that is destroyed after its immediate use is ended, thereby preventing any malicious code from effecting any lasting change to a computer system. (Cols. 9 lines 32-62 and col. 10 lines 9-67) trusted code run in a Legacy VM shall clone an Untrusted Code VM (UCVM) and run and terminate at the UCVM with restricted file system access. The VMs with appropriate security parameters are dynamically created and destroyed based on the applications that are being run).
Claims 5, 6, 16 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Banga and Grec as applied to claims 1, 11 and 12 above, and further in view of Momchilov et al (US Pub. #: 9210213), hereafter Momchilov.
Claim 5: the combination of Banga and Grec teaches the method of claim 1, but is silent on wherein the user request causes a URL redirection.
However, the analogous art Momchilov teaches wherein the user request causes a URL redirection. (Col. 31 lines 38-43: bi-directional URL redirection includes application-to-web-browser redirection. If a user clicks on a URL link in an e-mail window presented by a published copy of Microsoft Outlook and the URL is redirected to the remote VDA and opened in a browser executing in the remote or virtual desktop).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Banga and Grec to include the idea of URL redirection as taught by Momchilov thus fulfilling security requirements, performing common state management between the sides of a connection and cache optimization (Col. 26 lines 58-60).
Claim 6: the combination of Banga, Grec and Momchilov teaches the method of claim 5, further comprising: capturing the user request to access a website on a first security zone, wherein the user request includes at least a URL of the website that does not comply with a security policy of the first security zone; and redirecting the request to access the website to a second security zone, wherein the URL designated in the user request complies with the security policy of the second security zone. (Momchilov: Col. 31 lines 3-45: the user click request on an email window is captured and checked if the request complies with one or more security contexts such as access restrictions etc. If it does not comply the request is redirected to a remote VDA window on a different zone where the user request is fulfilled).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Banga and Grec to include the idea of URL redirection based on security compliance as taught by Momchilov thus fulfilling security requirements, performing common state management between the sides of a connection and cache optimization (Col. 26 lines 58-60).
Claim 16: the combination of Banga and Grec teaches the system of claim 12, but is silent on wherein the user request causes a URL redirection.
However, the analogous art Momchilov teaches wherein the user request causes a URL redirection. (Col. 31 lines 38-43: bi-directional URL redirection includes application-to-web-browser redirection. If a user clicks on a URL link in an e-mail window presented by a published copy of Microsoft Outlook and the URL is redirected to the remote VDA and opened in a browser executing in the remote or virtual desktop).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Banga and Grec to include Col. 26 lines 58-60).
Claim 17: the combination of Banga, Grec and Momchilov teaches the system of claim 16, wherein the system is further configured to: capture the user request to access a website on a first security zone, wherein the user request includes at least a URL of the website that does not comply with a security policy of the first security zone; and redirect the request to access the website to a second security zone, wherein the URL designated in the user request complies with the security policy of the second security zone. (Momchilov: Col. 31 lines 3-45: the user click request on an email window is captured and checked if the request complies with one or more security contexts such as access restrictions etc. If it does not comply the request is redirected to a remote VDA window on a different zone where the user request is fulfilled).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Banga and Grec to include the idea of URL redirection based on security compliance as taught by Momchilov thus fulfilling security requirements, performing common state management between the sides of a connection and cache optimization (Col. 26 lines 58-60).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-






/BADRINARAYANAN /Examiner, Art Unit 2438.