I'm not knocking security, maintaining updates, safe browsing, privacy, etc. Where is the security hole in browsing the contents of the users local hard drive, you can do it here:
file://c:/. This is a common trick to make the surfer think the website has access to the local files, when you are really opening them locally with no information sent back to the website. It could target a file like "test.txt" if one exists or as the demonstration showed, change the target file in the script. (It could not open anything in my case even when I pointed to a text file that was there). In most cases, when you visit static websites, you really are opening a copy of the websites files on your hard drive in the first place (temp internet files). I do realize this is not true for those sites with dynamic content. The "exploit" here is doing the same thing as File > Open > and selecting a directory or file. There have been exploits that open "command.com" or "cmd.exe" upon opening a web page or clicking a link that have the potential to be dangerous, but those are negated by several means (disabling active scripting for one) and as I understand could not feed a command line parameter like "format c:" that could do serious harm to somebody.
Again, practice safe browsing, keep patches up to date, use AV software, employ a firewall (to control out-bound as well as in-bound traffic), scan with things like Ad-Aware, use a Trojan detector, set your email client to open things in the highest security zone, don't pre-view email (always return to the in-box, do not go to the next note after closing the previous). No one method is going to work, but combined you have a better chance to surf the web more safely.
I'll add this, while it is clear that security is if anything, an after though to the minds at MS, and much could be improved by changing the default OS settings from what appear to be the least secure to higher security, it is also up to the consumer to use the product within their abilities and to learn of its abilities and limitations as well. You cannot rely on MS to protect you, you must educate yourself as well. There is an element of personal responsibility here. The consequences are too great if you do nothing yourself.
It is analogous to operating an automobile. Most cars will go faster than the speed limit, the drivers abilities and the safe operating envelope of the particular automobile. That does not mean that because your car can go 150 MPH around the DC beltway that you should drive it that way.