Windows has maintained the ability to embed HTML into its user interface for many years. As far back as Windows NT 4.0, it has been possible to embed HTML into the task bar, but the operating system (OS) has always maintained a sandbox, from which the HTML has been unable to escape. All this, however, changes with Windows Vista. This paper seeks to inform system administrators, users, and the wider community on both potential attack vectors using gadgets and on the solutions provided by Windows Vista.