If a user sets the option "Prompt to allow cookies to be stored on your machine" I have found that this can be bypassed in ME by local Javascript code directly setting a cookie. A request to disable the storing of cookies is honored but not the option to prompt before storing them. Hence it is insecure to set this option with Javascript enabled. It is no known if this is fixed by any combination of patches issued by Microsoft.
