Add low integrity sandbox behind --enable-sandbox flag

[deepanjanroy]

Design

• You can turn on the sandbox using --enable-sandbox, only on windows.
• It checks for correct directory permissions at startup
• If using the default directory structure, it offers to set up the permissions automatically. Users get an elevation request (see pics below). The elevated privileges only apply to the setup_sandbox_permissions.bat file. This should be a one time thing.
• The directories user, custom_nodes, and output are lowered in integrity level, along with a new directory write-permitted.
  • Making custom_nodes low integrity means any custom nodes that want to write to its own directory continues functioning. Tested with comfyui-manager. It also means if there is a binary inside a custom_node it will always run with low integrity.
  • The temp directory is moved inside the new write-permitted folder because we have code that deletes and recreated the entire directory.
  • If we ever want to create new places we want to write to, we can just put it inside write-permitted to keep things simple.

Manual tests performed:

• The default comfy workflow can generate outputs
• ComfyUI manager seems to work fine although I haven't tested it too hard
• User settings persist across update
• Works even if ComfyUI is in D: drive
• If --enable-sandbox is not passed, it does not require pywin32 (so it also should not break non-windows platforms)

Work to do in follow up PRs:

• Support overriding directories (e.g. --output-directory)
• Enable it by default / add the --enable-sandbox to bat file for portable

(^ this is a photo because it's hard to take a screenshot of the elevation screen)

[github-actions[bot]]

(Automated Bot Message) CI Tests are running, you can view the results at https://ci.comfy.org/?branch=8351%2Fmerge

[Baughn]

Related: #11013 kinda does this on Linux. I just spotted your PR.