A vulnerability exists in the MHTML URL Handler that allows any file that can be rendered as text to be opened & rendered as part of a page in Internet Explorer. As a result, it would be possible to construct a URL that referred to a text file that was stored on the local computer & have that file render as HTML. If the text file contained script, that script would execute when the file was accessed. Since the file would reside on the local computer, it would be rendered in the Local Computer Security Zone. Files that are opened within the Local Computer Zone are subject to fewer restrictions than files opened in other security zones.
Microsoft Outlook Express 5.5
Microsoft Outlook Express 6.0