Micro-kernel based virtualization architectures such as NOVA solves the problems of large trusted computing base and attack surface in most macro-kernel based virtualization systems. However, NOVA lacks of protections for the virtual machines of different security levels separately. Also, it lacks of access control mechanisms of the virtual machines to the I/O resources. In this paper, we propose the concept of security regions and introduce a way to divide virtual machines into several security regions, upon which the I/O resources access control mechanism is built. To implement I/O resource access control between different security regions, this mechanism adds an access control module to the key code path between the virtual machine monitor to the I/O services. The experiments show that when promoting the isolation and safety of data, it only impacts the performance of CPU bound tasks and I/O bound tasks slightly.