Traditionally, extensible reference monitors are built using trusted subsystems. For example, the Unix password file is read-only, and only a setuid program can edit it. In a system with domain and type enforcement , the password database would have a type that is only editable by programs in the appropriate domain. In either case, the operating system has no a priori knowledge of the password database or password-changing utilities, but instead has security mechanisms general enough to protect the data by only allowing a small number of programs access to it. Clark and Wilson  offer a particularly cogent argument in favor of the use of trusted subsystems and abstraction boundaries in the security of commercial systems.
There is no reason a program cannot have multiple signatures, and hence multiple principals. This means we must be able to combine potentially conflicting permissions granted to each principal, much as a traditional operating system must resolve permissions when a user belongs to multiple groups. One way to solve this problem is to choose a dominating principal, generally the principal about whom the user has the strongest feelings, and treat the program as though it were signed only by the dominating principal. Some systems also define an algebra for combining policies.
To clarify the policy engine's role, consider the file system protection mechanisms in Unix. The ``policy decisions'' in a Unix file system are the file permission bits for each directory and file; these are stored on disk. The role of policy engine is played by code in the kernel that maintains the permission bits and uses them to decide which file access requests to allow.
In Java, a critical issue with the policy engine is how to help non-technical users make security-relevant decisions about who they trust to access particular resources. To simplify the user interface, we want to pre-define groups of common privileges and given them user-friendly names. For example, a ``typical game privileges'' group might refer to specific limited file system access, full-screen graphics, and network access to the game server. Such groupings allow a single dialog box to be presented to a user which does not burden the user with a long series of individual privilege decisions and their corresponding dialog boxes.
These organizations need hooks into the Web browser's policy mechanism to either pre-install and ``lock down'' all security choices or at least to pre-approve applications used by the organization. If an organization purchases a new product, all users should not be burdened with dialogs asking them to grant it privileges. Likewise, if a Web site is known to be malicious, an administrator could block it from ever asking any user for a privilege.
Both Netscape and Microsoft have extensive support for centralized policy administration in their Web browsers. While malicious users may not necessarily be prevented from reinstalling their Web browser (or operating system) to override the centralized security policies, normal users can at least benefit from their site administrators' work to pre-determine which applications should and should not be trusted.