Rich posted a great article detailing a change in Java 1.7u51; namely, the default security level is now "High", and unsigned applets are blocked.
Let's say you're in an environment where you can't update your Junipers right away, and you want to prevent your users from freaking out/manually adding an exception. Looks like it's really easy to do, by updating the following plain text file:
/Users/foo/Library/Application Support/Oracle/Java/exception.sites
Of course, you could package this an FUT/FEU and deploy it with a simple Casper policy.