I had run derbyall (as I reported) with sane jars (and classes). All passed.
For derbynet.jar, used only on the server machine, the permissions need to be granted to the client machine. For derbyclient.jar, used only on the client machine, the permissions need to be granted to the server machine.
At least, that seemed to work and it made sense to me.
(Just for checks, I made sure the remote server testing works with the server started with sane and insane jars and this policy file. I need more changes in the tests in a follow-up patch to fully test the remote server stuff - that will be with DERBY-871; which is on hold waiting for this one).