It appears that there is a difference between signed webstart apps and signed Applets. In the Applet security model you can define a policy file which can be use to control the resources available to the applet. Whereas for webstart the JNLP does not have such fine grain control. Can anybody confirm this is the case as there appears to be a mismatch between the 2 approaches. If it is not the case can anybody provide me with any hints of how to have finer grain control form webstart, for example providing a list of directories that webstart can access rather than allowing it to access them all.