It keeps getting harder and harder to run a Java program (called an "applet") embedded in a web page. The rules often change and warnings are now the norm, both from the web browser and from Oracle.
Plus, there are two sets of rules, depending on whether the applet is digitally signed or not. And there are differences between Java 7 and 8.
Signed applets are treated like normal executables, they can do whatever the host operating system lets them do.
Unsigned applets run in a Java sandbox, walled off from the host system. Although the sandbox is far from perfect, reasonable people might consider applets confined to a sandbox safer. Oracle considers them more dangerous. In my opinion, they are placing way too much faith in the Certificate Authority system. Nonetheless, because Oracle thinks they are a greater security risk, they make it harder to run an unsigned applet than a signed one.
The other big factor in running applets is the Java security level. Java 7 has three security levels, Java 8 (as of Update 20) has only the two highest levels from Java 7. Both versions of Java default to the second highest level, which Oracle calls "high".
The "high" security level blocks the execution of unsigned applets by default. To run one, you have to first whitelist it (more below). The highest security level ("very high") is intended to block all unsigned applets (more on this below).
And, there is more.
Sitting above the Java security levels is an option to "Enable Java content in the browser". The security levels only apply when Java applets are allowed to run in browsers. The default is to enable Java in browsers.
It is much safer to disable Java in all browsers system-wide, if you can. The security flaws associated with Java only come into play when applets run in a browser.
Users that can disable Java in browsers, run normally installed applications that depend on Java. These applications use Java much like some Windows programs use the .NET framework. Some Windows programs that need Java are Wuala, Minecraft, and OpenOffice.
Anyone needing Java in a browser, is best served disabling Java in the browser they use most often, and enabling it only in a second browser dedicated to the websites that use Java.
Note that when Java is disabled system-wide, browsers may react as if Java is not installed. Firefox and Chrome don't even show Java in the list of installed plug-ins. Internet Explorer 11 may or may not show that Java is installed, it depends on the version of Windows and Java.
When Java is enabled for use in browsers, there are still other quirks in Windows 7.
Sign up for CIO Asia eNewsletters.