The default is the middle one - no unsigned apps, but they don't have to come from the App Store. Apple is going to start offering "Gatekeeper" certificates for non-App Store developers. The idea being that they can revoke a certificate if an app turns out to be malicious.