Hasn't that already been done? It seems like such an obvious exploit. Load an ActiveX object that has write access to the hard disk and bam! you've got an exploit.