I know I should post this in "General Computing" but no one reads that and this is a serious issue.
From the Spyware newsletter:
http://www.secunia.com/advisories/9580/
Internet Explorer determines whether an object is safe when it interprets the file extension specified in the "Object Data" tag. This allows a malicious person to specify a "safe" file with eg. a ".html" extension in "Object Data", which causes Internet Explorer to interpret it as a "safe" file. However, when the file is retrieved by Internet Explorer the "Content-Type" header determines how the file will be treated. This allows an executable file like a ".hta" file to be treated as a "safe" file and be executed silently without restrictions.
NOTE: Further information has been released by http-equiv, proving that the patch from Microsoft is not adequate. Refer to solution section.
Secunia has constructed a vulnerability test, which can be used to check if you are affected by this issue: http://www.secunia.com/MS03-032/