application/hta
Aaagh!
In the description, Wonkypedia says: "An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application."
So, by definition, it should either not be loaded remotely at all, or should be signed.
The fault is Microsoft Word's as it is loading untrusted content and running it in a trusted environment. If that is necessary for a feature to work, then Microsoft have deliberately subverted their own security rules to make Word look cool. Isn't that culpable?