Wrap Tails inside a VM, where the outer VM runs Tor and handles the network
Bryan Ford's research group has been working on "Winon", a bootable usb ubuntu system that runs another VM inside itself, such that the inner VM has the sketchy applications (including Flash), and the outside has the iptables rules, anonymizing proxies, Tor controller interface, etc. The goal is to limit what the inside VM can reach.
I'm encouraging them to redo it as a fork of Tails, since like most research groups I expect they'll lose interest when it comes to maintaining their image over time. Maybe if they do it well enough, it will become a feature that Tails adopts.
(I'm putting this as a trac ticket in Tor's trac because it's a child of #7680 (moved). Feel free to reference us to tickets in other bugtrackers, e.g. if this ticket overlaps with something Tails is already working on.)