Always consider this as a high priority to change the emails of System Admins and other user emails who will be using the environment to have a valid email address under their user detail page. This can really be a problem if there are users who want to reset their password from the salesforce login page and click on the Forgot Password link. The email for reset password will not be sent to the valid email address. So spare some time to change the emails for all users to their working email so that they do not have issues login into the sandbox.

Well, this one is simple and you might ask why deactivate the user? because it's not good to have multiple users in the sandbox also you might accidentally send a Salesforce notification to the user from your sandbox. Have only the users who really use the environment and not the one who just occupies the Salesforce license. Use data loader to set all the users to IsActive to false that's all you need to do. 

Yes, IP restrictions can be placed for all the users in your sandbox. you might have customer sensitive information in your sandbox that can be a major security concern. Deleting the data might take you a long time but you can enforce IP restrictions on profile level and the Org Level so that only whitelisted IP login is permitted.

When it comes to full copy sandboxes you will have all the data bundled into your sandbox. This data can be sensitive data or personal data of the customer. To keep the data safe you can scramble the data in your tables or data mask them so that your data is safe and is not exposed to all. Mostly you can write scripts to scramble data or we can use Salesforce data mask to mask data in your sandbox.

Always change the custom settings, metadata, labels with the sandbox alternative, so that your sandbox doesn't interfere with the production settings. have a check on the metadata, custom settings where you might have links that are used in your integration. Always change the endpoint links for the integration setup to sandbox otherwise there are high chances of your sandbox being linked with the integration services.

If you have communities in your sandbox you need to reactivate them, you see after every refresh you get a new domain name for your sandbox which will host your communities in a new domain URL. So after a sandbox refresh republishing the community will make the site active and work again in your new sandbox domain.

These are the steps that you can always consider to do after a sandbox refresh and to keep your sandbox clean and secure from external parties.