You might want to read Woody's article,
weep, and then use the CERT registry file.
From Woody's article:
"You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there's no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn't find any security experts willing to bet that CERT caught all of the potential vulnerable spots.
It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:
'Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.'
The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them".
I didn't know anything about the Next Generation Java Plugin in IE and I had no idea that Java can now be invoked outside IE:
"is a newer version of the Java plug-in that execute outside the process space of the web browser. Note that this means that when invoked via the next-generation Java plug-in, Java executes outside any restrictions of the browser, such as DEP,
Protected Mode, or other sandboxing." According to CERT, the only way to stop this newer version of the Java plug-in in IE is to remove the file. Then IE reverts to using the OLDER Java Plug-in which operates within the confounds of the browser.
I also did not realize I would need to prevent IE from automatically opening JNLP files. CERT has a registry fix for this.
"A registry file that Disables the element in the IE "Internet Zone", sets the kill bit for all of the Java CLSIDs through Java 7 update 6, the Java Web Start ActiveX control, the Java Deployment Toolkit ActiveX controls, as well as prevents IE from automatically opening JNLP files, as described above, is available for download here:
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson