and thats the route microsoft took with security in windows 8 but i dont think they felt that was the right path then.http://www.extremetech.com/computing/13 ... -mobile-os
also, i dont see how that would be difficult.
being that aspx runs in the DotNet framework and has direct access (through C#,F#,VB.net, etc...) to the Windows API, placing a file on the users hard drive really wouldnt be all that difficult, its just a matter of knowing which libraries to use.
i mean, I just opened windows media player from excel (VBA) and ran a video via a URL without prompt, it wouldnt be any harder to run that code on someone elses PC. as far as the OS is concerned, the command is coming from your PC so it must be you. I could send that spreadsheet to someone and have it install a file and there's almost no way the OS would know, regardless of the operating system. especially considering how uncommon it is to use VBA directly for file IO.
and thats VBA, which is much less powerful than VB.Net or C#, and honestly less flexible than almost any popular language. (its not even an OOP)
it looks like there are some methods of some classes from certain DLLs that are blocked for use in VBA, but i think thats just a limitation of the language.