I get it
I assume the point is that you break the WEP key on the client and wait for the Wndows Zero Configuration Client to search your preferred network list (PNL) and connect to a soft AP which now offers a network connection with your SSID and WEP key. The attacker could then run Nessus etc and potentially exploit the host. I have to say when I’ve tested this type of attack most clients have a non encrypted network in their preferred network list like t-mobile, BTOpenzone etc so no need to set-up a WEP authenticated connection to get them to connect. However it's good to know this could be done.