Ok, I understand
.policy file configures JVM granting objects permissions, and the primary idea of it is to restrict applications' access to webserver: it's configuration files, file system, JVM properties, etc. In other words, there are "inside" restrictions. It's clear about the scopes of inside access. But what about "outside" access restrictions? I still can't find answer -
which applet external activity restrictions do exist? If I'm not mistaked, the applet can connect to any DB (no guarantees it'll be successfull, but it can try), ''walk freely on web". SocketPermission is not suitable here, cause it doesn't provide any flexible settings, I can only choose between "restrict evrthg" and "allow evrthg".
Note: Here we're talking about the applet as about the blackbox, considering the situation I have no abilities to change it's code but need to control it's behavior by Tomcat capabilities. I think it's doable thing, but I haven't enough skills.