A malicious web site operator could design a web page that, when visited by an IE5 user, would read a local file from the victim host (or any file on the victim's network to which the victim has access) and send the contents of that file to a designated remote location.
1) The IE5 user visits a malicious web site.
2) The web site instructs the client to open another IE5 browser window and display the contents of a file residing on the IE5 user's host (or another host on the network to which the IE5 user has access).
3) Immediately after opening the new browser window, the window is instructed to browse to a specified web site ie: http://malicious server.com/hack.cgi?doit.
Microsoft has released a FAQ that contains a good description of this vulnerability: http://www.microsoft.com/security/bulletins/MS99-043faq.asp.
alert("Create a short text file C:\\TEST.TXT and it will be read and shown in a dialog box");