I've noticed that on my test environment it is possible to bypass Internet Explorer Zones protection by flooding it with large number of file:// requests in example to infected fileserver. The result of this bypass is EXECUTION OF ANY REQUESTED FILE. My requested file was 'trojan.exe' placed on neighbour WIN2K Professional workstation. To see code used during the test check files in attached archive.
On IE 6.0 the result was always the same, after more than 200 dialog boxes with 'trojan.exe' request, suddenly requested file got executed. For the purpose of this test I've used 2 Win2K & WinXP workstations with Internet Explorer 6.0.2800.1106 (I believe that's most recent version of IE) & on both workstations opening the 'dmz1.html' file trough LAN share resulted in executing 'trojan.exe' application. My Internet Security Zone was set to "MEDIUM".