Not sure about you, but I often get a lot of questions about handling Java + updates in the corp environment. I just saw a very cool podcast from PaulDotCom (http://pauldotcom.com/2013/11/episode-350-whitelisting-java.html) detailing two methods for controlling it a bit more with Java whitelisting. The skinny:
Method 1: Reg hack (IE only)
If running old versions of Java, you can allow it only to run for sites in the Trusted Zones list via:
According to the podcast, a company with 15,000 endpoints that deployed this strategy went from 1.5 Java-based infections per DAY to about 1-2 per month.
Method 2: built-in Java whitelisting (multiple browsers)
For Java 1.7U40 and above, you can create an XML file with approved files/sites to allow and push that out through GPO.
BTW I’m way shortening this explanation…see the show notes at http://pauldotcom.com/wiki/index.php/Episode350 for full details.