I would like to second your thoughts and add one more:
Extensions of DOC are also risky in that they could be MS-WORD documents with internal macros that are themselves destructive Trojan Horses. (For those who don't know the definitions, AOL4FREE.COM is a Trojan Horse because it does not self replicate.)
This is also a good time to present the bad news that while the browsers are becoming more sophisticated they are also opening huge holes in the security of the PCs on which they run. ACTIVEX and JAVA programs can do damage with not so much as a whisper to the user until the deed is done (and sometimes not then). The Internet requires a certain amount of mutual trust if it is to function as the information exchange medium it is now. As more destructive types get on the 'net we may have to rethink just how trusting are we willing to be. Both ACTIVEX and JAVA are being studied to close those holes, but it is a monumental task to do so while retaining the ease of use and relative invisibility of those powerful extensions to the browsers.