I believe the security of Web Start is similar to
Applets. There are restrictions to system access, but all these can be dismissed if you sign your jar files. The user will usually get a message saying, "This program is asking for permission to access your system", or something like that. I don't remember the exact words.
Basically, any Java program can get system resources. Web Start is just a deployment solution; a way to distribute your application. It's your application that has to do the accessing.