Sun code is allowed to do many things that ordinary application code
is not. If it were not, it would never even get started.
The policy file is loaded by the active SecurityManager, which sets the
security options according to the file - so the security isn't in place
until the file has been read.
I'm still trying to piece together how this all works.
It is quite well described in the documentation for the SecurityManager.
My current guess is that sun booby traps the code in various critical
places saying in effect, "You must have permission X" to continue.
No guessing neccessary, that is exactly how it works.
There are also calls of the form "Do I have permission X?" I want to
find out now before I dismantle the plumbing.
Classes like FileInputStream, URLConnection, etc. check with the security
manager if their actions are allowed before they continue. If not the throw
the SecurityException.
There is also some sort of proxy system where the code says, I may/may
not be permitted to do this, but I am doing on behalf of A, and A has
permission.
Actually, when Applets are signed, certain allowances can be given through
the Applet SecurityManager. The signing does not say 'on behalf of', it is
merely meant to identify the creator and the user can make a decision if he
trusts that creator enough to let the Applet do things it is normally not
allowed to do.
If the Applet does destroy your system or extracts private material and
sends it elsewhere (and you find out about it, of course), you can find the
SOB who programmed the Applet/got the certificate through the certifying
agency and kick him where you please.
There is lots of detail, but I have not found something that explains
how it all fits together from a bird's eye perspective.
Sun has quite in-depth documentation on these things, but they are quite
cumbersome to go through (very dry material - could compete with the Sahara
- just like the official docs on JavaBeans).
Cheers.