In Internet Explorer 4, a JavaScript program can be used to "bully" someone into running an unsafe ActiveX control. The unsafe ActiveX control to be executed is referenced by a Web page that is downloaded from a Web site. The bullying is done by a JavaScript program in the Web page. When the Web page is downloaded, Internet Explorer 4 will bring up a security warning saying that there is unsafe ActiveX control on the Web page. If the answer is to not run the control, JavaScript on the page detects this choice and reloads the page. The reload causes the security warning to be again presented to the user. The bullying code will continue to reload the page until the user answers "Yes". Once the user answers "Yes", the ActiveX control has free run of the user's computer. Two especially dangerous controls are Microsoft's FileSystemObject control which allows file I/O and the WSH shell control which allows Windows programs to be executed. These two controls are installed with the Windows Scripting Host in Windows 95.

In Windows 98, thos issue was partially addressed by changing the default security settings for the Internet Zone to disable unsafe ActiveX controls altogether.

However, if an HTML is loaded from the hard disk, then the bullying technique still works. An HTML page would be loaded from a hard disk if were sent as an attached file to an Email message in Eudora or Outlook Express.

Also, in Windows 98, the FileSystemObject now is a standard part of the operating system and therefore can be used from any Web page.