From Zone-H.org:
08/19/2004

Description:
http-equiv has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.

http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.

NOTE: Even though the PoC depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead.

This vulnerability is a variant of an issue discovered by Liu Die Yu.
SA9711 http://secunia.com/SA9711/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.

Solution:
Disable Active Scripting or use another product.

Provided and/or discovered by:
http-equiv

Other References:
SA9711:
http://secunia.com/advisories/9711/
For more information, check out this link.