m$ has discovered a flaw and now updated by patch (early this morning) about
MS03-040 :
A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability.

more info in 24hrs exploit in 10

More information here http://www.k-otik.net/bugtraq/10.04.MS03-040.php

flame, no offense man but the exploits are now dried up and old/obsolete. Those patches fix all the hta and media bugs. I have been working on this since they released the patch last night at around 9pm (my time) (yes I was checking constantly because I do a lot of work with this)... and I have only found two ways to root fully patched IE.

Anyway the stuff covered in the MS advisory already has exploits galore. Just a minor correction to what you suggested.