Windows Desktop Search opened HTML result pages in a context where navigating location to a local executable path would launch that executable. The fix required restricting the zone or navigation capabilities of the Desktop Search result renderer.

<script>
setTimeout('location = "file:///C:/WINDOWS/system32/sol.exe";',1);
// This also worked:
// setTimeout('document.URL="file:///C:/WINDOWS/system32/sol.exe";',1);
</script>

This variation was also found by David Ross, who took the same technique in a slightly different direction — using a <meta http-equiv="refresh"> redirect to the executable path rather than a script-driven navigation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.