I have since tested this on another IE6 (Windows XP) machine (default settings) and this too will load a file off the local machine, from a page in the Inernet Zone. ie...

<!-- Works OK in IE6 --> 
<script src="file:///C:/test.js" type="text/javascript"></script>

However, IE7 (Vista) will not and gives the same error as IE6 as if the file does not exist. (This might be a restriction of Vista, as opposed to IE7, not sure.)

Not ignoring this post, watching . . . however I'll comment that I do all my testing offline, and have no problem testing scripting in IE with relative paths:

<script src="../scripts/test.js" type="text/javascript"></script>

within the scripts, you need to also go relative:

some_link.onmouseover=some_object.src='\.\.\/images\/some_image.jpg"

(backslashes may or may not be required, old habit . . . )

Then on upload, I change all to root relative

<script src="/scripts/test.js" type="text/javascript"></script>

some_link.onmouseover=some_object.src='\/images\/some_image.jpg"

You do, however, have to do one of the following:
- Click the "warning" bar when loading the page to allow scripts to execute offline
- Put that comment hack at the top (you know the one, there's posts here about it)

It's entirely possible you have some IE setting to just disallow the scripts with no such warning?

It's entirely possible you have some IE setting to just disallow the scripts with no such warning?

I don't actually have a problem per se. IE allows the script to run (which I was not expecting). All other browsers disallow the script from running (which is what I would expect - due to security).

I must say, this is not a conventional website (and in this case it may end up running within a closed network anyway where normal permissions might allow, but anyway...)

An example... A page on the internet, accessing a JavaScript file on the local machine.

index.html

<html><head><title>Test</title> 
<script type="text/javascript" src="file://C:/Test/test.js"></script> 
</head> 
<body> 
<script type="text/javascript"> 
document.write('TEST = ' + TEST); 
</script> 
</body> 
</html>

And C:\Test\test.js contains...

var TEST = 'YES - LOCAL MACHINE';

In my OP I used 3 forward slashes - this is not necessary (it works either way).

In IE6 (Windows XP) I get a page showing "YES - LOCAL MACHINE". In all other browsers I just get an undefined variable JavaScript error, since (I assume) browser security prevents a file being pulled off the local machine! IE6 (WinXP) allows this.

You do, however, have to do one of the following:
- Click the "warning" bar when loading the page to allow scripts to execute offline
- Put that comment hack at the top (you know the one, there's posts here about it)

Yes, if index.html was on the local machine I'd need to use a MOTW ('comment hack') to avoid the 'active script' warning bar. But in this case index.html is online.

Yes I think that's a bug/security hole - although I'd never seen it work that way, in the src!

I used to take advantage of it with an "image preview." When someone would go to upload a photo I was able to read the file they selected in the file download box and allow it to preview on the page below the form before uploading. It was kinda cool, but a bug nonetheless.