The blog entry Sergio refers to a new technical note "Using Virtual Private Database in an Oracle HTML DB Application" written by Scott Spendolini, Sergio Leunissen, and David Knox (the author of the recent 10g security book published with Oracle press).
This is quite a good paper that looks at how VPD, FGA, RLS - what else can Oracle think of to call it :) :), can be used with an HTMLDB application. I have written a two part paper myself about Row Level Security and how to use it and protect its use.
This article about VPD and HTML DB is a very good concise article that goes through the basics of how to set up VPD with a simple example that then goes on to show how it can be tested in SQL*Plus. The authors then create a sample application in HTML DB and a test user and show that the VPD policies still work from either SQL*Plus or from HTML DB. The key is the use of a function called V that tests the HTML DB user against a value in session memory for the logged in user from HTML DB.
A very good article, again it is here.