A Java applet is a Java program which is run from inside a web browser. Unlike a Java application, an applet is restricted in some areas, unless it has been deemed trustworthy by the end user. This security restriction is in place to protect the end user from malicious code which could, for example, delete files or copy sensitive information from the hard disk of the end user.
In general, applets loaded over the Internet (or any network) are prevented from reading and writing files on the client file system, and from making network connections except to the originating host.
In addition, applets loaded over the net are prevented from starting other programs on the client. Applets loaded over the net are also not allowed to load libraries, or to define native method calls. If an applet could define native method calls, that would give the applet direct access to the underlying computer.
Applets are not allowed to open network connections to any computer, except for the host that provided the .class files. This is either the host where the html page came from, or the host specified in the codebase parameter in the applet tag, with codebase taking precendence.
Applets loaded over the net are not allowed to start programs on the client. That is, an applet that you visit can't start some rogue process on your PC. In UNIX terminology, applets are not allowed to exec or fork processes. In particular, this means that applets can't invoke some program to list the contents of your file system, and it means that applets can't invoke System.exit() in an attempt to kill your web browser. Applets are also not allowed to manipulate threads outside the applet's own thread group.
If an applet is loaded over the net, then it is loaded by the applet class loader, and is subject to the restrictions enforced by the applet security manager. A web browser uses only one class loader, which is established at start-up. Thereafter, the system class loader cannot be extended, overloaded, overridden or replaced. Applets cannot create or reference their own class loader. The applet security manager is the Java mechanism for enforcing the applet restrictions described above. A browser may only have one security manager. The security manager is established at startup, and it cannot thereafter be replaced, overloaded, overridden, or extended. Applets cannot create or reference their own security manager.
The bottom line is, although no program can be guaranteed to to be totally bug free, and no language or operating system can be guaranteed to be totally secure, Java offers a practical level of security for most applications.
To find out more about Java security, check out Sun's Java Security page.