If you are behind a network firewall that requires you to use a web proxy with your browser, your Java environment will also need to use a proxy to connect to tool sessions. The default security manager for Java stipulates that an applet can make network connections only to the web server from which it was originally loaded. Connecting to a proxy requires additional privileges—even though the ultimate connection through the proxy is to the originating web server.
In order to empower an applet with additional privileges, it must be signed. This is a process by which a cryptographic identity is added to the applet to prove the identity of its author. The first time you load a particular signed applet, your Java virtual machine will show you a dialog similar to the following:

This dialog shows that the applet was authored by Purdue University and is confirmed by Thawte Consulting (a certificate authority that most JVM's trust). If you trust the author of this applet, you can select "Yes" to load the applet.
A signed applet can have many privileges. It can access your general window system, your computer's peripherals, and your local file system. The hub VNC applet uses additional privileges only to connect to your web proxy. The applet contains no code to perform any kind of additional access to your computer's local resources.