First of all, you may want to reconsider granting java.security.AllPermission to the world.
That said, if you look in the JAVA_HOME/jre/lib directory you should see two files.
In java.security there should be two lines that start with policy.url.1 and policy.url.2. They name the default policy files used by the JVM. Note: they must be specified as URLs, not Files. You can add more if you feel the need.
The java.policy file in the jre/lib directory is the default policy and is the baseline for all users. Permissions are additive, so more lenient permissions may be specified in the individual user's home directory than in these system-wide files.
Hope that helps and again, be careful about granting permissions too liberally.