Not sure about you, but I often get a lot of questions about handling Java + updates in the corp environment.  I just saw a very cool podcast from PaulDotCom (http://pauldotcom.com/2013/11/episode-350-whitelisting-java.html) detailing two methods for controlling it a bit more with Java whitelisting.  The skinny:

Method 1: Reg hack (IE only)

If running old versions of Java, you can allow it only to run for sites in the Trusted Zones list via:

image

According to the podcast, a company with 15,000 endpoints that deployed this strategy went from 1.5 Java-based infections per DAY to about 1-2 per month.

Method 2: built-in Java whitelisting (multiple browsers)

For Java 1.7U40 and above, you can create an XML file with approved files/sites to allow and push that out through GPO. 

BTW I’m way shortening this explanation…see the show notes at http://pauldotcom.com/wiki/index.php/Episode350 for full details.