To prevent information leakage, we ideally would run a virtual machine that tunnels all traffic via Tor, such as the VirtualPrivacyMachine. However, if you do not want to go through all that trouble, Systrace can come to the rescue. For investigations, I run Firefox under Systrace with a systrace policy that allows connections only to Privoxy. All other connections attempts are denied and logged. It is interesting to see how many connections Firefox tries to do all by itself that do not go via the proxy. There are update pings, and all kinds of other connections.
In this case, Systrace is not being used against an adversary but rather against an untrusted application. It works quite nicely at that, too.