I wouldn't call a graphical API a problem with IE.
There was a exploit with IE where you can run Machine code in the image when displayed to the end user.
Um, you do realise PHP can be installed on pretty much anything right?
this will be saved as this-is.php on your server, i think only works with linux web servers.
The best thing to do would be to prevent people from uploading web based scripts altogether. Meh... you wouldn't beleave how quickly search engines pick up on junk like r57 and c99shell. Infact, ten seconds after some chump uploads scripts like that someone else will have already gained enought privileges to overwrite everything in the web directory.
so best would be to use some number when saving file on the server side.
You may want to take another look at the link that was posted.
The article didnt really say how he did it, so he might of used the php method.