If they are really untrusted, and you want to be sure, you'd set up a separate box. Either really, or virtually.

Further, you don't want that box to be in the same network as your important stuff, if you are paranoid enough. In all solutions you'd set up a separate user with no rights, so not to open too much tools to the would-be compromiser.

So the safest option would be a separate box removed physically from your network.

You could give in a bit by adding it to the physical network, but on a different subnet: no 'real' connection inside

A virtual machine would be an option, but might have to give up some performance

If you are bound on running it on the same box, you have for instance, this option

chroot . This is a default option for doing this for lots of people, and for non-specific threats it might even work. But it is NOT a security option, and can be broken out of rather easily. I'd suggest to use this as intended, i.e. not for security.