After much searching and testing we've found only these two ways for a Java Web Start app, properly signed with a trusted 3rd party cert, to be deployed under JRE 1.7.0_51 & display the expected Security dialog (with "Do not show this again..." check-box):
1) Add href= with the launch file self-reference as you describe above, e.g:
jnlp spec="1.0+" codebase="http://some.dn.com/OurAppHome/" href="launch.jnlp"
Which is not straight forward for sites that generate the JNLP through, say ASP, or under other condtions like you note above.
2) The proper thing: JAR manifest such that it shows no Missing Blah-Blah-Blah manifest attribute in console log. The minimal additional manifest attributes for 7u51 we've found must be present (*s as test values):
Permissions: all-permissions
Codebase: *
Application-Library-Allowable-Codebase: *
So our working full build script test manifest looks something like this (version is generated):
<manifest>
<attribute name="Application-Name" value="Our App Name"/>
<attribute name="Main-Class" value="com.whatever.main.AppLoader"/>
<attribute name="Class-Path" value="./Corejar.jar ./Support.jar"/>
<attribute name="Built-By" value="${user.name}"/>
<attribute name="Permissions" value="all-permissions"/>
<attribute name="Codebase" value="*"/>
<attribute name="Application-Library-Allowable-Codebase" value="*"/>
<attribute name="Trusted-Only" value="true"/>
<attribute name="Specification-Title" value="Our App Name"/>
<attribute name="Specification-Version" value="${version}"/>
<attribute name="Specification-Vendor" value="Our Company Name"/>
</manifest>