By combining Content-Location: file:///xxx.exe with codebase property of <object> tag it's possible to execute .exe file embedded into HTML.
vulners.com/securityvulns/securityvulns:doc:4137
vulners.com/securityvulns/securityvulns:doc:5360