From time to time I look at new exploits and sometimes I see exploit that cause HTML to run on "My Computer" zone, but As far as i know, the "worst" thing you can do with HTML is activate an EXE file.

So I say to myself, Oh no, im doomed, someone can activate my calculator!

Thats why I was wondering, what is the worst thing HTML that runs on "My Computer" zone can do? Why do i need to defend against those?