Java Applets run inside a secure area called the "sandbox". They are not permitted to do certain things (access local files, connect to servers other than the one they downloaded from and so on) that could be used by a malicious applet to cause problems. If you want to circumvent these protective barriers you must digitally sign your applet. Digitally signing does two things, it identifies you as the author of the applet and it insures that the applet has not been altered. A policy file is used in this scheme to spell out exactly what security barriers the applet is circumventing. Take a look at Advanced Programming for the Java 2 Platform Chapter 10: Signed Applets for an example.
If the user doesn't use the keytool to import the certificate they will get a warning that the certificate may be invalid or otherwise untrustworthy. This is because in the tutorial we created the certificate ourselves. If you purchased a real certificate or imported the fake one with keytool, they would be warned that an applet signed by <some identity> is requesting permission to screw with their system. Any way you shake it, the user will have to authorize access. They do not, however, have to futz with keytool.