By defauly, buth IE and Netscape run Javascript, and IE runs VBScript on it's own by default. Security warnings might pop up if it tries to install anything, or do things beyond the sandbox. Normally when I worked with Javascript, it has severe limitations on what data it could work with as a security precaution. Who knows how tight IE follows those rules though.

If the BBS dosen't currently support stripping dangerous code out, it should be suggested by Paul, as he is the registered user of the software. It should be non trivial to add, and secure enough to enable HTML code again. Everyone takes a risk by connecting to the internet, web sites can only go so far. Beyond that, it's the users responsibility to either apply the 30 patches a month to IE, or find a different browser.

And the only server vunerability known for UBBThreads was fixed in this version (5.5). And it was usable even with HTML code off.