This is what MS has been up to. I somehow suspected it has always been the case, but here is ample proof.
"We understand that the main problem is online web sites that find security holes so as to be able to run code locally. Code that runs locally used to be able to damage your system because it ran with the highest privileges. So - rather than block up the security holes - Microsoft have decided to clamp down on all local web page active content so that the user has to agree to various dire warnings before letting it run."
More on http://www.phdcc.com/xpsp2.htm
A classic case of solving the wrong problem.