Microsoft have to realize that the current tight integration of innocent browser-level functionality cannot peacefully coexist with the application-level functionality (such as executing commands & reading files) that local zones expose. The Internet Zone & Local Zones should not both be exposed through Internet Explorer. In fact, I would recommend that Local Zones should be severely crippled in the short term, & completely removed in the long term. Everything that application-level Local Zone documents & help files require can already be accomplished through the use of HTML Applications - which have already existed for years as well.
Over on Pivx Solutions they've made a post regarding the codeBase vulnerabilities in Internet Explorer, something which has been at the root of multiple vulnerabilities in the browser over the years. Here's a small portion;
Would you like to know more? It's a pretty interesting read if you're into this sorta thing. On a related note I'll have a decent update for the Internet Explorer section of our Securing Windows guide soon enough.