We received an email tip today that Oracle added a new security feature to Java that might be pretty important (awaiting confirmation that I can publicly credit the person who sent it in):
Deployment Rule Set is a new security feature in JDK 7u40 that allows a system administrator to control which applets or Java Web Start applications an end user is permitted to execute and which version of the Java Runtime Environment (JRE) is associated with them. Deployment Rule Set provides a common environment to manage employee access in a controlled and secure manner.
Clearly it depends on how easy it is to circumvent, and I don’t even hope it will stop advanced attacks, but it does seem like it might help if you put the right policy set in place. More details are available.