Yes, a security policy that does not give any permissions is the most restrictive policy that you can define with the standard Java security manager and will prevent anything running in this JVM from executing anything that requires security permission. The Java API kernel typically checks for several different security permissions before allowing code running under Security Manager to do anything that could be harmful, so it is theoretically safe to run untrusted code where no permissions have been granted.
There are a few exceptions: for example, code downloaded from the system class path is allowed to call System.exit (), which will stop your application, and code that works without any permissions can create any number of new threads that may block up on the system. If this is a problem, you will need to consider creating a custom security manager.
In your case, if you use the application code and the code provided by the user in the same JVM, you need to grant permission to use the application code to do what he needs to do without giving any rights to the untrusted code, so you need to add into the policy file something like the following:
grant codeBase "file:path/to/trusted/application/jars" { permission java.security.AllPermission; };
Keep in mind that if you specify a policy file on the command line, you will need to use double equals (e.g. -Djava.security.policy ** == ** policy.file), otherwise your policy will extend the Java security policy by default, which provides a minimal set of permissions for all code.