Well first of all I want to congrats my friend kuza55 because of his talk "Unusual Web Bugs" at 24c3, was a success.
I watched it on the stream, and even do it dropped every 2 minutes, the audio was sort of constant, so I was able to hear it.
So, it was awesome, and he used the stuff that was investigated and discovered lately, so that was a cutting edge talk.
Anyway, I tried to make kuza receive a message for the Q&A, that wasn't able to arrive, when you say that the header Content-Disposition: attachment is a restriction that no one has been able to bypass, well it's bypassable, and I dunno why I didn't told you about this.. anyway..
Suppose that http://www.victim.com/downloads.php?file=999 is a downloader that sends the header: Content-Disposition: attachment, then you can make IE to display the content as "the best guess", by caching it first, like this:
The iframe will load the cached source, and it will show the best guess IE can make.
I haven't tested this on firefox, sorry, but at least it works on IE 6 and 7.
So, that's mostly all, just wanted to say that..