umm...do you remember the Windows cursor exploit? It was basically an unchecked buffer between the Win32 and NT kernel APIs that allowed a specifically crafted cursor file to run privileged code on the user's system. Since custom cursors are part of the CSS standard, every web browser on Windows that supported CSS implemented this feature and was vulnerable to the exploit by just visiting a page that specified the correctly crafted file in their stylesheet. It didn't require any user download or any of the usual attack vectors (ActiveX plugins, Java or scripting).
A common way to spread malware these days is to break into an adserver and upload an exploit to it. Then the exploit will be distributed across even well known and trusted sites which display ads from a third party service. Our workstations at work commonly get malware from users visiting news sites.
What I'm saying is that even the most cautious users can get owned without doing anything stupid...
"May your future be limited only by your dreams." -- Christa McAuliffe