restricted execution

[erlang@REDACTED]

This is my week for stupid questions ... on the plus side I'm finding 
erlang so compelling that I might actually gain some proficiency by dint of
outright practice.

This evening's topic for debate before the symposium:

In my researches online (so many that by now my head spins) I see lots of
references to safe, or safer, erlang, and various models of restricted
execution.

Well, that's nice.  If I really, really wanted to run something relatively
customised, I could always implement a virtual machine (not a possibility 
I have completely eliminated, but one I'd prefer to avoid).  I'd rather not,
and this is pretty much my bottom line, have to deal with non-standard
forms of the language.

What I do want to be able to do:  run a user-provided process with some
assurance that the only external data access it has is precisely that which
I can provide it.

I realise that quite likely the basic form of Erlang doesn't make provision
for this, but looking at the facilities for cookies and so on, it strikes
me that something ought to be possible.

Is there a particularly common or usual answer to this?  I've worked in 
telecom situations, and I know that quite a lot of kit works with shared
secrets, which is pretty much what the cookies implement.  Anyone have
any suggestions?

My ideal situation: spawn a process, give it in its arguments a few 
processes it can communicate with, and leave it with no other sources of
information, nor external contact facilities.