Generally speaking, the term you are looking for is "sandboxing" (as in a place where these kids can do damage without affecting anything else). Sandboxing is a kind of difficult problem, but it is also very useful. It is therefore generally used in different places.
Process-based sandboxes are quite common nowadays, and all modern operating systems have [at least some] support for them. Windows, Mac, iOS, and Android application stores all offer sandboxed applications. Linux provides a sandbox feature used by elements such as Docker (and Chrome on Linux). FreeBSD (and its derivatives) have "prisons", etc. There are many ways to do it. A relatively simple solution can be created simply by using user permissions and access control lists. you create a new user account for the sandbox, give it no default access (which is tricky, because normally there are many things everyone can read at least), then give this account the Access to things the sandbox code is allowed to touch. A process started as a user will have only very limited access to the system, until / unless they find a way out.
Unfortunately, creating a secure sandbox tends to be somewhat platform-specific and complex for each platform. I have personally reviewed and discovered breaches in the sandboxes used by several products of major software companies (you've heard about it, they might even have them open right now). The sandbox model of the app store, which gives the developer little control over what can be done, in exchange for the operating system managing the entire creation and application of the sandbox, is appealing and if you are writing for Mac or recent Windows, I recommend you take it into account.
Another type of sandbox, available on any modern desktop operating system but quite expensive to run, is a virtual machine sandbox (VM). By using any major VM platform (VMWare, VirtualBox, Hyper-V, whatever), you can create a VM that has little or no access to the host operating system. This is the usual way for cloud computing providers to work; From Amazon's point of view, your small EC2 instance runs untrusted code, but needs to share the hardware with other unreliable users to be profitable, and virtual machines are used for this purpose. This is also a way to run potentially malicious code, because the host operating system can monitor what the virtual machine does, but the virtual machine can not control the host.