Microsoft has denied that a 'trick', which could allow an executable file to be launched when a user types a Web address into Internet Explorer, is a security vulnerability.
Using Windows XP and Internet Explorer, it is easy to create a scenario where a user types in a Web address -- such as
www.microsoft.com -- into their browser and instead of the launching the Web site, the browser runs an executable file that is located on the user's computer.
More info can be found at :
ZDNet Australia
Security suites often monitor start up programs, but I don't know of any that monitor shortcuts. This provides opportunities for intruders to place reliable user-triggered trojans, and for the executables to be hidden in stealthier places.