Suprisingly, JavaScript Code could execute any process it want. Why?

Question

I asked "How to run a executable file from a web page?"

Many people told me that's impossible, but my colleague find a piece of JavaScript code that could execute any process. I can not believe ActiveX is so dangerous.

How could this happen? Why this is not forbidden by IE?

    <SCRIPT   language=JavaScript>   
  function   Run(strPath)   {   

  try   {   
  var   objShell   =   new   ActiveXObject("wscript.shell");   
  objShell.Run(strPath);   
  objShell   =   null;   
  }   
  catch   (e){alert('Can not find "'+strPath)   

  }   
  }   
  </SCRIPT>   

  <BUTTON   class=button   onclick="Run('notepad')">notepad</BUTTON><br>   
  <BUTTON   class=button   onclick="Run('mspaint')">mspaint</BUTTON><br>   
  <BUTTON   class=button   onclick="Run('calc')">calc</BUTTON><br>   
  <BUTTON   class=button   onclick="Run('format c:')">format c:</BUTTON><br>   

Answer 1

While you can do this IE will block it saying that there is an

ActiveX Control is trying to access you computer, click here for options

You can only run these if the end user allows them too and hopefully people are clever enough not to allow it to run. If you do allow it then there is always another alert asking if you really want to run this so there should be enough security around it.

Answer 2

Local files run in a different security environment than remote files, so while that will work if you save the file as an html and open it from your computer, if you upload it on a server and try to run it from there it will not work.