How to add Java Exception Site List for all users

I need to use an old Java applet for a certain website, but newer Java versions cannot run it, as it has a self-signed certificate. Reading on Oracle's Deployment Guide, I need to make my own deployment .JAR, with a proper certificate signing (not self signed), just to create the exception I need to run applets from a single domain.

I have found that there is a %userprofile%\appdata\LocalLow\Sun\Java\Deployment\security\exception.sites file, obviously one for each user. In there, one per line, is a list of domains I can set to exclude from NOT being executed. When I add the domain name, the user gets a single prompt, then it just allows that domain for that user. Great.

I know I could add this file to the Default user profile, for any new users being created. Unfortunately, I do not think that removing every user's profile from each of the systems is the right way to go. I can push commands to computers, but the commands run as my user - I can't use %USERPROFILE% for this. I do not want to put it in my login script, as I do not want the file getting large for users who constantly log in and off of systems. I also only want the single domain added to whatever is there, without wiping out the user's preferences that may already exist.

Because I do not want to wipe out their preferences, I thought of doing something along the lines of echo http://www.example.com >> %userprofile%\appdata\LocalLow\Sun\Java\Deployment\security\exception.sites, but that won't work, as it will keep adding to the file.

What can I do to add the list to the Exceptions rule, but only if the rule does not exist already?

Overwriting user preferences and denying users the ability to modify them is something the OP wants to avoid in the first place.

Java no longer placed the config files in these locations in newer versions of Windows, or newer versions of Java.

But Java applets are no more relevant for newer versions of Java, Windows and browsers, I guess. )

Yes, they are. Sadly. I wish they weren't, but my org has a bunch of legacy apps still requiring the JRE on each client. And yes, we're paying Oracle for the privilege.