A network scanner (26) for security checking of application programs (e.g. Java applets or Active X controls) received over the Internet or an Intranet (10) has both static (pre-run time) and dynamic (run time) scanning. Static scanning at the HTTP proxy server (32) identifies suspicious instructions and instruments them e.g. a pre-and post-filter instruction sequence or otherwise. The instrumented applet is then transferred to the client (14) (web browser (22)) together with security monitoring code. During run time at the client (14), the instrumented instructions are thereby monitored for security policy violations, and execution of an instruction is prevented in the event of such a violation.