In addition to enabling sandbox security in the ColdFusion Administrator, the application server must be running a security manager (java.lang.SecurityManager) and you must define the following JVM arguments:
-Djava.security.manager -Djava.security.policy="cf_webapp_root/WEB-INF/cfusion/lib/coldfusion.policy" -Djava.security.auth.policy="cf_webapp_root/WEB-INF/cfusion/lib/neo_jaas.policy"
You configure these settings by using a text editor to modify the jrun_root/bin/jvm.config file. or through the Settings panel of the JRun Management Console (JMC).