Hey, thanks for the report.
This is a known issue. In sandbox mode, the allowlist really isn’t applied. Sandbox is meant to replace the allowlist, with filesystem and network restrictions instead of per-command approval. But you’re right that the UI is confusing. The description and placement of the allowlist field make it look like it works as a fallback.
Workaround: enable Legacy Terminal Tool in Cursor Settings > Agents > Inline Editing & Terminal. With that, the allowlist will work as expected. You already found this in steps 5 to 7, so I can confirm it’s a working option.
About Windows and the “best-effort” network egress, that’s also on our radar.