Sandbox security protections are turned off when running from
Flex Builder using a file url instead of a web address. Yes you
need a crossdomain policy file to access a resource from a server
other then where the flex app is served from.
This is quite well explained in the help. The only thing that
is an issue is figuring out where the WebServer root is, since this
may be different for different web servers. On Tomcat there is a
directory called ROOT where the file must be placed.