Internet Explorer security hole

New Windows / Internet Explorer security hole: Upload any Windows executable you like to a web server. Set up the web server to send .exe files as text/html. Put a CLSID in the filename. Post links to the file, cloaking them as http://www.innocenturl.com%01%00@www.yoursite.com/virus/whatever via the previously announced URL cloaking bug. Wait for anyone using Internet Explorer to click on the innocent-looking link and get asked if they want to open the HTML web page.