As far as I am concerned, it seems that the way of going from here, we need to consider the fact that Docker has the best all around technology for sandboxing applications.
You can see here that running GUI applications is quite “easy”. You can manage the write/read rights from a servet that launches the application.
The global architecture drawn for this project can be found here. To summarize this architecture, any client can go to a website that can be accessed only if connected to the school’s network. From this website, a user can connect to any application available to him. By chosing a software, it creates a VNC connection and creates a Docker container from a built image.
The docker container is persistent in the user’s allocated space. This allows the user to save his preferences and tweaks made to an application. Each container comes from a common image that is not accessible from the user’s disk space.