<deployment.user.home>
A users deployment configuration is stored in a file named "deployment.properties" that is in a directory we refer to as <deployment.user.home>.  This directory is under the users home directory <user.home>.  On Windows platform this is:
<user.home>\Application Data\Sun\Java\Deployment (on XP, this is usually "C:\Documents and Settings\<user name>\Application Data\Sun\Java\Deployment")
On Unix platforms this is <user.home>/.java/deployment.

<deployment.system.home>
An enterprise configuration is set up by placing a file named "deployment.config" in a directory we refer to as <deployment.system.home>.  On Windows platforms this directory is "<Windows Directory>\Sun\Java\Deployment", on Unix platforms this is "/etc/.java/deployment".

jre lib directory
An alternate location for the deployment.config file is the lib directory of the jre.  A deployment.config file from the jre lib directory will only be used if there is no deployment.config file in the <deployment.system.home> directory.  It will only be used when running plugin, webstart, or the control panel from that jre (ie: after next java update it will no longer be used unless copied to the new lib directory.)

An enterprise configuration is set up by placing a "deployment.config" file in the deployment.system.home directory (or the jre lib directory).  The deployment.config file can contain 2 properties:
deployment.system.config, and deployment.system.config.mandatory. 
The deployment.system.config property value is the URL to the enterprise deployment.properties, so the file can then be placed anywhere on the net.
The deployment.system.config.mandatory property is a boolean value, and can be set to "true" to require the URL to be found. In this case the application or applet will not run if Java Web Start or Java Plug-in cannot reach specified URL at start up. Without mandatory set, an application or plugin applet will ignore the enterprise configuration if the specified URL cannot be reached.

The enterprise configuration's deployment.properties file can contain any properties used in the users deployment.properties file.  Additionally, for any property <deployment.xxx> (other than properties starting with "deployment.javaws.jre"), the enterprise configuration can add the property  "deployment.xxx.locked".  When "deployment.xxx.locked" is present, the value of the property "deployment.xxx" in the user level deployment.properties file is ignored, and the UI component in the Control Panel that controls that property will be disabled. (ie: the user cannot override the value of "deployment.xxx" in the enterprise config file.

As stated earlier, any deployment property recognized by Java Web Start or Java Plug-in can be set in the enterprise configuration file, but here are some that might be used for enterprise security setup:

deployment.system.cachedir
This property defines the location of the system cache.  A system cache can be used to share applications with all users in an enterprise, or just with multiple users on a system.  The system cache can be populated by using the "javaws -import -system <url>" command.

deployment.system.security.policy
This property points to a policy file that will be used for all Web Start applications and Plug-in applets.  The permissions granted by this policy file will be added to the sandbox permissions granted to untrusted applications and applets.

deployment.security.trusted.policy
This property points to a policy file that will be used instead of "all-permissions" for trusted applications and applets.  This defines the "ceiling" policy.

deployment.system.security.trusted.certs
This property points to a keystore of "pre-accepted" certificates.  By using this property you can allow users to run Java Web Start applications and Java Plug-in applets with all-permissions without ever seeing a security dialog.

deployment.security.askgrantdialog.show
This property determines if users are allowed to see security dialogs.  By setting this to false, users are not allowed to grant trust to applications using certificates that are not already trusted.  In conjunction with the above, an enterprise can specify exactly which applications are trusted.

deployment.security.askgrantdialog.notinca
This property determines if a user can grant trust to applications with self-signed certificates, or certificates otherwise not in the root ca store.

deployment.proxy.type, ... , deployment.proxy.auto.config.url 
These properties can be used to configure the proxy for the enterprise.