HTML mail has precisely the same security implications as Web
browsing. If your Java VM is working correctly, a mail message
that invokes a Java applet will do exactly the same thing as a
Java applet on a Web page, and run with the same security, which
means that it cannot access any local files, or open network
connections to any but the sending host, or execute any native
code on your machine.
The current implementations of Java on the market are generally
safe. The current implementations of JavaScript (an entirely
different technology), VBScript, and ActiveX are /not/ safe, as
they have known security holes not yet addressed. Most browsers
will let you enable/disable these individually, and your email
should honor the same settings.
-- Lee Daniel Crocker <lee@piclab.com> <http://www.piclab.com/lcrocker.html> "All inventions or works of authorship original to me, herein and past, are placed irrevocably in the public domain, and may be used or modified for any purpose, without permission, attribution, or notification."--LDC