allow_url_fopen is fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases.
Its close relative, allow_url_include, is not safe. It allows functions like include() and require() to load and run code from remote URLs, which is a really bad idea. Leave that one turned off.
In the past, allow_url_include didn't always exist as a distinct option, so it was necessary to turn allow_url_fopen off to prevent badly written scripts from including data from remote URLs. That's no longer the case, though.
