RSS security in IE7 and attachments - how does it work?
The RSS team have written a new article about RSS in IE7 and how it handles attachments:
Of particular interest is this comment:
"We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable)... AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. "
Note that the ability to download enclosures is also managed by Internet Explorer's security zone. If you want to block all enclosures from a site, simply add it to your Restricted Sites Zone.