Firstly we are using a dual screen workstation running windows 2000 in a domain environment but am unsure if the issue is limited to this setup. (I plan to test this further with a single screen and different OS version probably XP)
If an administrator or any user were to lock their workstation and await the screensaver to display. Press F1 and when the browser launches it is launched under the logged on users account. Simply using the address bar you could type in any valid network share and it would open in the browser.
Under a standard users account their home drive, or any other shares they have access to, would be available. Under an administrators account the access could potentially be very dangerous or a security risk.
In the other post it states:
there was a bug in windows that did not permit launching URLs during screensaver action when F1 is pressed, so we found a workaround that allowed us to execute Internet Explorer.
Surely the fact that windows will not allow a browser to be launched is not a bug but a security feature?
The OS allowing you to work around this at all is the real bug / security hole.
Or am I really confused here? It is getting late now and perhaps I should rest!