Receive input from the user through the keyboard or the
mouse.
Make a network connection to the server from which it came and
can send to and receive arbitrary data from that server.
Anything you can do with these abilities you can do in an applet.
An applet cannot:
Write data on any of the host's disks.
Read any data from the host's disks without the user's
permission. In some environments, notably Netscape, an applet
cannot read data from the user's disks even with permission.
Delete files
Read from or write to arbitrary blocks of memory, even on a
non-memory-protected operating system like the MacOS. All memory
access is strictly controlled.
Make a network connection to a host on the Internet other than
the one from which it was downloaded.
Call the native API directly (though Java API calls may
eventually lead back to native API calls).
Introduce a virus or trojan horse into the host system.
An applet is not supposed to be able to crash the host system.
However in practice Java isn't quite stable enough to make this
claim yet.