Starting with sandbox development

Microsoft has had a horrific security track record. But the real problem in 2011 isn't operating systems, its web applications and web browsers. You should explore projects like Damn Vulnerable Web App, OWASP WebGoat and especially Google Gruyere. You can find pre-built VM's for all of them, and Google is hosting theirs so you don't have to install anything.

A fantastic book on rootkits and exploiting Win32 systems via them is, "The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System." It has extremely in depth information about rootkits and the process behind them. Be forewarned though, in order to fully appreciate the book, a background in C is highly recommended.

Googles Gruyere is definitely the way to go when you speak of novice.
As @Rook wrote, web apps is what you should be seeing today. You don't have to worry about concepts, as you go way down the Gruyere, they explain the concepts before you enter the particular exploit. I am learning my way with Gruyere, as we speak here now :)