It actually seems that it's only partially true.
The parser tries to validate the document using the doctype specification. The thing is that it first tries to look for the dtd in the jar using the DTD name. If this fails, then the dtd is fetched from the URL.
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
In this case, it would first try to find //Sun Microsystems, Inc.//DTD Web Application 2.3// in some location (don't ask me where..maybe in JDK's jars or something). If this is not being found, then it tries to fetch from the URL.
I was able to reproduce this by altering the DTD name to something bogus, i.e. //SunZZZZ MicrosystemsZZZ, Inc.//DTD Web Application 2.3//
My packet sniffer showed me that the it connected to the sun website.
If anybody has a better understanding of this and would like to share it..feel free to do so.