If you are in an environment that demands total security, turn off all automatic executable content, including Java, in the Internet Security zone. This can be done in Internet Explorer by choosing Tools → Internet Options → Security → Custom Level → Java → Disable Java.

You may consider removing all Internet access. In an environment needing the highest security, it’s hard to justify any Internet access. There are too many working exploits. There is still a steady stream of exploits coming out from the world of executable content. The Java sandbox has been compromised at least a dozen times. Although all of those have been in research labs, who’s to say that a big hole hasn’t been discovered by a hacker ready to use it around the world? Some of the more recent holes discovered did not take a “rocket scientist” to figure out. Some of them are scarily easy once you know how. If you have to have a totally secure environment, disable the Internet. Weigh your potential costs against the benefits.

Nothing can beat not running malicious applets in the first place. Start now and promise never to run untrusted code again. If you run a Java-enabled web or file server, ...