I think it’s debatable if the following should be considered non-standard uses but I think they nicely make use of the possibilities you have with Qubes and they actually feel quite cool when using them every day.
Using more than one sys-net
I work at a small company (~ 7 people) and we set up strict network segmentation over the last years. Using WiFi we can access the Internet, but nothing internally. Using Ethernet, we access our internal infrastructure but do not have access to the Internet, not even by a proxy or some other fancy security mechanisms. Instead, we all use Qubes laptops and have configured two sys-net VMs (with accompanying firewall VMs of course).
- sys-net-lan - for internal access only. Here you can connect VMs that work with internal files, access internal systems and the like.
- sys-net-wlan - here goes everything that requires an Internet uplink. eMail (restricted to the IP address of our mail provider), mostly disposable VMs for web research, but also stuff like Spotify (ever thought about using a DisposableVM to launch your pre-configured Spotify client in the morning?).
Printing from disposableVMs
When I first set up Qubes I created a dedicated printing qube in form of a persistent appVM. I would copy files over there, start a file browser in this Qube, navigate to the incoming folder, open and print a file, hopefully not forget about deleting it afterwards. But as humans are, something more urgent pops up before you can clean up after yourself and so over the time the qube filled up with old data. Turns out you can have this way easier and most of it is already stated in the official docs.
- Set up a dedicated template where you can install the potentially insecure 3rd party printing driver.
- Create a DisposableVM template out of this template.
Now, whenever I want to print something I right click on it and “Open in DisposableVM” it. Choose the printing DisposableVM from the drop down, wait for the print job to finish and just close the window. The dispVM halts and everything unrequired is vanished.
I think this approach could use a bit more fine tuning though. If you want to print multiple documents it is inefficient to open a separate VM for each of them. Something like a wrapper which creates a new dispVM if none is running and otherwise opens documents in the already existing print VM would be great.