Normally, a Web site can point to a local file on a visitor's computer and call that file up in a browser window. Under IE's security restrictions, only the visitor should be able to read it.
Microsoft said it was investigating the problem but declined to comment further on it or the technologies involved.
Security analysts said the risk from such a scenario was high, and that the frequency of similar vulnerabilities pointed to a fundamental problem with the security models Microsoft and other software companies employed for their consumer products.
"The technology required is not new," SecurityFocus.com analyst Elias Levy wrote in an advisory on the bug to the Bugtraq security mailing list. "It's been available for years in 'trusted' operating systems used for some purposes by the military. Things like compartments, capabilities, privileges, information labels and data tainting need to be adopted by consumer operating systems."