Hackers can run anything on your Windows with command written in HTML, an Israeli security researcher said. The trick works on Internet Explorer and Outlook even if active scripting and ActiveX are disabled. A demonstration script is available.
It starts the calculator out of an HTML file. MS said they will patch the hole, but a workaround proposed by Axel Pettinger and Garland Hopkins is apparently working. The registry patch is also available on the source.
Although the workaround will cause IE to launch a security warning that can not be turned off.