Applets can connect back to the server they were downloaded from ("same origin policy"). From 6u10 they can also access sites with appropriate crossdomain.xml
file (google it).
Randomly allowing access to any site obviously isn't going to be good for security. You can sign your code and have the PlugIn allow users to remove security. However, that requires you know about security to do it safely (which most people don't) . For a "nice" security dialog you need a certificate signed by a trusted certificate authority.
Another option is to have your web server machine forward on connections. However, that again is tricky to do securely.