Use my MentalJS parser to isolate the environment. You can then choose which objects/variables it has access to by customizing the code.

http://businessinfo.co.uk/labs/MentalJS/MentalJS.html

http://code.google.com/p/mentaljs/

By default it allows access to document but you can prevent this, customize the environment here http://code.google.com/p/mentaljs/source/browse/trunk/MentalJS/javascript/Mental.js#260 you can then choose if they have access to Math etc.

It can be done without ECMA6 by using an IIFE that contains your trusted-needs-protection code, into which you inject your untrusted-needs-isolation-code (see example).

(function(injectedFunction) {
    /* Trusted code, that needs protection from untrusted code access */
    var hostingFuncPrivatePrimitive = "Hello there";
    var hostingFuncPrivateObject = {
        this_is_mine: true
    };

    var sharedPrimitive = 'This is shared';
    var sharedObject = {};

    // Running the untrusted code:
    injectedFunction(sharedPrimitive, sharedObject);

    console.log("sharedObject is: " + JSON.stringify(sharedObject));
    console.log("hostingFuncPrivateObject is: " +
        JSON.stringify(hostingFuncPrivateObject));
})(

(function(primitiveArg, objArg) {
    /* Untrusted code that needs isolation */

    // 1. using primitive (legal)
    console.log('primitiveArg is: ' + primitiveArg);

    // 2. Writing value to given objArg (legal):
    objArg.mumu = 'mimi';

    // 3. Trying to access host function variables (illegal)
    try {
        console.log('hostingFuncPrivatePrimitive is:' +
            hostingFuncPrivatePrimitive);
        hostingFuncPrivateObject.this_is_mine = false;
    } catch (e) {
        console.log(e);
    }
})

);

If you place the above in Chrome's console, you will get:

    primitiveArg is: This is shared
    VM117:29 ReferenceError: hostingFuncPrivatePrimitive is not defined
            at <anonymous>:26:17
            at <anonymous>:11:5
            at <anonymous>:16:3
    VM117:12 sharedObject is: {"mumu":"mimi"}
    VM117:13 hostingFuncPrivateObject is: {"this_is_mine":true}

P.S.: I know I'm late to the party, but maybe this helps anybody.

There is no good way to do this within javascript itself (but see Gareth Hayes answer for another option).

There are a couple of bad ways.

(function() {
  var scope = Object.create(null);
  var obscurer = {};
  for (var key in this) {
     obscurer[key] = undefined;
  }

  with (obscurer) {
    var isolated = function() {
      'use strict';
      console.log(document);
    };
  }

  isolated.call(scope);
})();

Note that you'll actually get an error because console is not defined rather than document, although you can fix this by not blocking 'console' in the obscurer object. You'll probably find that you need a whole bunch more globals than you realised.

You're also only blocking the enumerable properties of window. If you become aware of nonenumerable properties that you want to block too, you'll have to add those to obscurer.

Of course, using with means you can't use strict mode any more as well, and everyone will look down their noses at you..

There are more interesting options available if you are working within node rather than the browser.