After setting up ssh and opening up ssh in the firewall etc. I was able to ssh log in as rover with X forwarding set (had problems with using -XC ssh command that implements authorisation, but -YC was fine, and being the same desktop -Y is fine).Something to think about, rover could be setup as default on all containers.
Tried a few security things such as trying to sudo, su, run gparted ...etc. and they were all blocked as desired. Running programs such as galculator and the window popped up as expected.
Did try running seamonkey and seamonkey -no-remote, but both of those failed (segmentation dumps).