WebStart has allowed one to open a browser pointed at a URL since day one. This is accomplished via the showDocument method of BasicService (see http://java.sun.com/products/javawebstart/docs/javadoc/javax/jnlp/BasicService.html#showDocument(java.net.URL) ).
Why have we made AWT's API more restrictive?
I've exchanged emails with the security folks and no one had a good answer here. Although Stanley pointed out you shouldn't allow developers to open up local files in the browser if running in the sandbox.