...
* A URLClassLoader, when constructed using the default constructor, does not check package access permissions. However, when the static newInstance() method is used, the obtained instance carries out the check. Doing so does not limit what system classes can do; however, it restricts the range of system packages that can be used from less-privileged code.
The following text comes from SCG 2007, it is instructional and maybe useful in an introduction.
When any method from the following table is invoked on a Class, ClassLoader or Thread object, a comparison is run between the method's immediate caller's class loader and that of the object on which the method is invoked. (SCG 2007)
...