Java Webstart allows the distribution of applications from a web server. This application will be able to connect to a website that is different from the website where it was downloaded from only if the code is signed.
Yes I think you are correct. If the application is unsigned it runs within the sandbox and you can only get access to the that supplied the application. If it is signed and then trusted by the user you get access to all resources.