Java applets don't allow you to write a custom ClassLoader, unless you sign your applet. Why is this so? A custom ClassLoader is just a tool for finding classes. You can't actually load the class except for by calling the private "defineClass" method, which is "trusted" code in the sense that it is written and controlled by the VM, not by your applet. It's not like you gain any more permissions than the ability to dynamically load a class... Which really is nothing at all.
I guess as a side question: Is there any other way to dynamically go from
byte[] => Class
which is allowed by unsigned applets?
defineClass has a ProtectionDomain parameter that you could pass with a PermissionCollection containing AllPermission, which would allow you to do basically anything to the host machine.