From http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241754 :

Cross-frame scripting was disabled to prevent a Trojan Horse-style security hole called frame spoofing, in which a Web site masquerades as a frame inside of a trusted Web site in order to steal user information. The following Knowledge Base article explains how to enable cross-frame scripting using document.domain for documents from different machines on the same network:

Q167796 PRB: Permission Denied When Scripting Across Frames

However, this is not effective for machines on the same network that resolve to different top-level domains; for example, Web sites on the same machine that use different virtual hosts. It also does not work for two distinct sites that have partnered with one another and wish to interact via frames.

In these situations, developers building solutions for Internet Explorer 5 can bypass cross-frame security for a frameset they have authored by turning it into an HTML application (HTA). This involves giving the page an extension of .hta and inserting the tag <HTA:APPLICATION> at the top of the page underneath the HTML tag. Each frame that attempts to script another frame (for example, the script source) must have the attribute pair "APPLICATION=yes" inside its FRAME tag.

When a user accesses the HTA, it asks whether he or she wants to "execute" the file. If the user says yes, the HTA opens in its own window. From that point on, documents can script freely across frames whose documents come from different domains. This is considered secure because it uses trust-based security: The user must verify that he or she trusts the host will refrain from intentionally malicious programming.