During my tests I discovered that IE associates the telnet://
URL with the vulnerable telnet.exe. This opens up several
possible ways to force a user into connecting to you with a
malicious HTLM web page, email message, and so on. I would
speculate that it might also be possible to force this to
or really creative HTLM.