This topic describes security risks from signed Java™ applets and provides recommendations for reducing these risks.
Your users might have followed your advice and set up their browsers to prevent applets from writing to any PC drives. However, your PC users need to be aware that a signed applet can override the setting for their browser.
A signed applet has an associated digital signature to establish its authenticity. When a user accesses a Web page that has a signed applet, the user sees a message. The message indicates the applet’s signature, who signed it and when it was signed. When your user accepts the applet, the user grants the applet an override to the security settings for the browser. The signed applet can write to the PC’s local drives, even though the default setting for the browser prevents it. The signed applet can also write to mapped drives on your server because they appear to the PC to be local drives.
For your own Java applets that come from your server, you might need to use signed applets. However, you should instruct your users in not to accept signed applets from unknown sources.