The Java update goes one step further to minimize repeat incidents, as well -- it makes the "high" setting the default and asks permission before it launches any applet that wasn't officially signed.