I was half joking here, but the more I think about it, the more
appealing this setup seems (especially now that we know that at least
one very powerful organization is devoting massive resources to
compromising TorBrowser itself on end user machines).
I think there are still some significant hurdles, though. In order to do
this safely, I think you need to set your your DispVM template's NetVM
to "none." Otherwise, it's too easy to accidentally use the normal
firewallvm instead of your torvm, or to get confused or forget. All it
takes is one mistake like this to blow your anonymity for good. Another
possible reason (I don't know whether this is the case, so someone with
the appropriate technical knowledge: Please enlighten me.) is that if
the DispVM is set to the firewallvm by default, then once you start the
DispVM, it would be possible for a program to, e.g., contact an external
server in the clear (e.g., to check for an update) as soon as the DispVM
starts up, before you change the NetVM to your TorVM. This could
obviously have serious implications for the anonymity of your session
thereafter.
The problem is that this causes a pretty big inconvenience for using the
DispVM in general (except for those times at which you actually *want*
it to be network-disconnected), because it means that you have to set
the NetVM every time you want to use the DispVM for anything
network-related (whether clearnet or Tor). But one could probably write
some simple scripts to automate this. I think it's as simple as running
either
qvm-prefs -s fedora-18-x64-dvm netvm firewallvm
or
qvm-prefs -s fedora-18-x64-dvm netvm torvm
before starting the DispVM normally.
The other issue is getting TorBrowser in there. I'm guessing that merely
copying the TBB directory to fedora-18-x64-dvm isn't risky as long as we
don't run it (even if it's malicious). So, it should be fine to keep it
in there (instead of having to copy it to a fresh DispVM each time you
want to use it, which would be a hassle), even if you sometimes use your
DispVM for, e.g., banking (or whatever you consider to be a sensitive
clearnet activity).
But this would become another hassle once TBB gets the ability to update
itself.
It seems to me that all of these issues would be moot if one could
create multiple DispVM templates, but I don't know how difficult that
functionality would be to code. :)