DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Request for Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after allowance or after an Office action under Ex Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, prosecution in this application has been reopened pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/08/2021 has been entered.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Matthew Voog on 06/03/2021.
The application has been amended as follows: 
15. (Currently Amended) The host computer system of claim 13, wherein the condition is a first condition, and wherein the first isolation firewall is further configured   to block data being communicated from the workspace to the second isolated computing environment on a fourth condition.

Response to Amendment
Claims 1-9 and 12-20 are pending. Claims 1-9, 12, 15 and 20 are currently amended. Claims 10-11 are canceled.
Applicant’s amendments to the claims will overcome each and every 112(b) rejection previously set forth in the Non-Final Office Action mailed 01/21/2021.
Response to Arguments
Applicant’s arguments, see pages 10-12, filed 05/21/2021, with respect to the 103 rejections have been fully considered and are persuasive.  The 103 rejection of claims 1-9, 12 and 20 has been withdrawn.

Allowable Subject Matter
Claims 1-9 and 12-20 are allowed.
Examiner’s Statement for Allowance
The following is a statement of reasons for allowance:  After further search and consideration and applicant arguments of 05/21/2021 on pages 10-12, the prior art taken Hoy et al. (US Patent No. 9,942,198) discloses a host computer that supports a virtual guest system running thereon.  The host system has a firewall that prevents it from communicating directly with the Internet, except with predetermined trusted sites.  The virtual guest runs on a hypervisor, and the virtual guest comprises primarily a browser program that is allowed to contact the Internet freely via an Internet access connection that is completely separate from the host computer connection, such as a dedicated network termination point with its specific Internet IP address, or by tunneling through the host machine architecture to reach the Internet without exposing the host system.  The virtual guest system is separated and completely isolated by an internal firewall from the host, and the guest cannot access any of the resources of the host computer, except that the guest can initiate cut, copy and paste operations that reach the host, and the guest can request print of documents.  The host can transfer files to and from a virtual data storage area accessible by the guest by manual operator action.  No other transfer of data except these user initiated actions is permitted (Hoy, Abstract), Bonomi et al. (US Pub No. 2018/0115519) discloses enterprise grade security for integrating multiple computing domains with a public cloud is provided herein.  An example system a forwarder that provides one-way data publishing to a public cloud and a data bus that provides domain-to-domain messaging between a plurality of domains.  At least one of the plurality of domains includes operational technology infrastructure devices and operational technology virtual machines.  The operational technology virtual machines are communicatively coupled to the operational technology infrastructure devices using one or more operational technology switches.  The Bonomi, Abstract), Violleau et al. (US Patent No. 7,926,086) discloses an access control mechanism is provided on a computing device to allow an application provider to set up a declarative security policy specific to an application module.  When a runtime environment of the computing device receives a request from a second application instance in a second execution context to access a protected resource in a first application instance, the runtime environment invokes the access control mechanism to determine, based on a protection-domain-level domain security policy, whether the second application instance is allowed to access protected resources in the first execution context.  If so, the runtime environment invokes the access control mechanism to determine, based on a declarative security policy for a first application module associated with the first application instance, whether the second application instance is allowed to access the protected resource.  If so, the runtime environment allows the second application instance access to the protected resource requested (Violleau, Abstract), Sun et al. (US Patent No. 9,787,639) discloses a enforcement point can run in a container to execute low-level firewall rules (Sun, column 10, lines 17-29 and 48-66 and column 4, line 63-column 5, line 5), Pai et al. (US Pub No. 2017/0353496) discloses a host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting Pai, Abstract), Myrick et al. (US Patent No. 9,465,734) discloses each of the processes within a memory coalition may be sandboxed within its own sandbox which is isolated from the sandboxes of the other processes within the memory coalition to provide enhanced security relative to malware, etc. Various different known techniques for sandboxing processes can be used including, for example, the use of one or more of different container directories specifying permitted and accessible (file system) storage locations in a non-volatile storage system for sandboxed processes such that other storage locations in the non-volatile storage are not accessible by the sandboxed process; (b) entitlements specifying what hardware or software resources a sandboxed process is permitted to use and what resources is not permitted to use; or (c) memory space privileges specifying the memory locations the sandboxed process can access such that other memory locations cannot be accessed by the sandboxed process. It will be appreciated that various other additional techniques can be used from the sandboxing art in order to sandbox each process from the other processes and isolate malware in one process from another process (Myrick, column 8, lines 48-67), Broz et al. (US Pub No. 2016/0246974) discloses an isolated compute environment may be provided. An external interface may be provided by the isolated compute environment identifying a list of applications. Responsive to receiving a first request to access a first application in the list of applications from a source outside of the isolated compute environment, the isolated compute environment may provide interactive support to the first application to share the first application and the first application's data with the source. Responsive to receiving a second Broz, Abstract), Walsh (US Pub No. 2011/0154431) discloses a sandbox tool can create and maintain multiple isolated execution environments, simultaneously. The sandbox tool can assign a unique security label to each isolated execution environment. In order to ensure the security labels are unique, the sandbox tool, for each security label, can bind a communication socket in an abstract name space of the operating system with a name that is the same as the security label. If the operating system returns an error that the name for the communication socket is already in use, the sandbox tool can determine that the security label is already in use by another isolated execution environment or other process (Walsh, Abstract), Hunt et al. (US Pub No. 2012/0017213) discloses facilitating sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process.  The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment.  More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. (Hunt, Abstract) and Woolward (US Patent No. 9,560,081) discloses micro segmentation of data networks are provided herein.  Exemplary methods include: receiving a high-level declarative policy; getting metadata associated with a plurality of containers from an orchestration layer; determining a low-level firewall rule set Woolward, Abstract), however, the prior art taken alone or in combination fails to teach or suggest “isolate the first isolated computing environment from at least the workspace and from the second isolated computing environment using a first isolation firewall such that data can be communicated from the first isolated computing environment to the second Page 6 of 15DOCKET NO.: LCOMENTMulConUSO1PATENTApplication No.: 16/142,981Office Action Dated: April 8, 2020isolated computing environment on a condition, wherein the first isolation firewall that is associated with the first isolated computing environment; isolate the second isolated computing environment from at least the workspace and from the first isolated computing environment using a second isolation firewall that is associated with the second isolated computing environment; and isolate the workspace from at least one network destination using a host-based firewall, the host-based firewall is configured to block a data communication sent to the workspace from the at least one network destination” (as recited in claim 13) and “implement a host operating system that enables operation of a trusted workspace, the trusted workspace configured to enable operation of a first set of one or more applications or processes using a trusted memory space; implement a first sandboxed computing environment that uses the host operating system and that is configured to enable operation of a second set of one or more applications or processes using a first untrusted memory space; implement a second sandboxed  computing environment that uses the host operating system and that is configured to enable operation of a third set of one or more applications or processes using a second untrusted memory space; isolate the first sandboxed computing environment and the second sandboxed computing environment from the trusted workspace that uses the trusted memory space using an isolation firewall; isolate the first sandboxed computing environment that uses the host operating system from the second sandboxed computing environment that uses the host operating system using the isolation firewall such that data can be communicated from the first sandboxed  computing environment to the second sandboxed computing environment on a condition; andPage 2 of 13DOCKET NO.: LCOMENTMulConUSO1PATENT Application No.: 16/142,981Office Action Dated: January 21, 2021isolate the trusted workspace from at least one network destination using a host- based firewall, the host-based firewall being configured to block a data communication sent to the trusted workspace from the at least one network destination” (as recited in claims 1 and 20). Claims are allowed in light of the above claim limitations when in combination with the remaining claim limitations.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAQUEAL D WADE whose telephone number is (571)270-0357.  The examiner can normally be reached on M-F 8:00-5:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SHAQUEAL D WADE-WRIGHT/Examiner, Art Unit 2437                                                                                                                                                                                                                                                                                                                                                                                                                /KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437