I need an applet to open a socket and communicate with a server listening on the local host to which the applet downloaded (the end user machine).

contrary to what I have read about applet security, it seems that even signed applets cannot open a socket to a different host from which they were downloaded (on the same machine it works perfectly)

I have certified the applet using -selfcert, signed it using jarsigner, and still, whenever it tries to open a socket to a different host, I get:

Java.lang.Exception: java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:9999 connect,resolve)

I even tried changing the Java policy file, although with signed applets it is not required to do so:

grant codeBase "http://applethost:8080/socket" { permission java.security.AllPermission; permission java.lang.RuntimePermission "usePolicy"; };

What is the deal with sigend applets, can they connet to a different host or not?

Yes, when you load your applet, if you choose to accept its certificate and trust it, it is granted AllPermission, which includes SocketPermission. I have written a signed applet before that connects to a host other than the one from which it was loaded. You could try temporarily changing your java policy file to just have

grant {
  permission java.security.AllPermission;
};

• Look in your policy file to see if it defines any other policy.url locations, perhaps they are interfering.
• Check your browser settings for javascript maybe.
• Make sure that you accepted the certificate for the applet and that it gets installed to your list of site certificates.
• Make sure the grant codeBase line you have is the same as the codebase in your applet's manifest.
• You could try printing out the list of permissions that your applet has before you try the connect.
• You could try to programatically grant AllPermission from within the applet.