The problem is not solved by a Content-Disposition header, IE will display a download dialog with an option to "View the HTML" file which will execute the script - a step more but still bad.
A detailed description of the problem is available at my blog at
http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting
The problem also exists in images which need to be sent inline. The current development code contains a check if uploaded images are valid images, but as described in the mentioned post even valid images can be used to fool IE.
To avoid the cross site scripting problem we could add a "strict checking" option, implementing the same stupid method MSIE uses and deny uploading of everything containing a script tag in the first 250 bytes.