Application processes running in Windows Server containers are actually running on the host. If you run multiple ASP.NET applications in containers, you'll see multiple w3wp.exe processes in the task list on the host machine. Sharing the operating system kernel between containers is how Docker containers are so efficient—the container doesn't load its own kernel, so the startup and shutdown times are very fast and the overhead on runtime resources is minimal.

Software running inside a container may have security vulnerabilities, and the big question security folks ask about Docker is: How secure is the isolation between containers? If an app in a Docker container is compromised, that means a host process is compromised. Could the attacker use that process to compromise other processes, potentially hijacking the host machine or other containers running on the host?

Breaking out of a container and compromising other containers and the host could be possible if there was a vulnerability in the operating system kernel that the attacker could exploit. The Docker platform is built with the principle of security-in-depth, so even if that were possible, the platform provides multiple ways to mitigate it.