How to grant AppContainer capabilities?

[forderud]

I first want to thank you for sharing this project that makes it much easier to investigate AppContainer isolation on Windows! However, I am struggling to understand how to grant AppContainer capabilities like "removable media" ( WinCapabilityRemovableStorageSid), "internet client" (WinCapabilityInternetClientSid) and similar to my applications. Don't really understand why it doesn't work. See examples below.

I've already verified in Process Explorer that the enabled capabilities are correctly propagated to the security settings for the launched process. The problem therefore appear more fundamental somehow. Any clue about why this doesn't work?

Removable media example

Network access example

STATUS UPDATE: Client-side socket connections will actually be enabled if using the WinSock API directly.