because, even though the browser doesn't run it, a malicious script can run an activex control in the background ( no windows open, nothing visible at all ) that can be used to do just about anything to your computer that you can do.