In a security advisory for the recently updated Safari browser, security service provider ACROS explains the problem. Attackers first save an HTML file and a manipulated file called explorer.exe on a drive. When the victim opens the HTML file with Safari, nothing happens initially, but the file does contain a link to a URI that starts with "file://", which causes Windows to try to start Windows Explorer (explorer.exe). Unfortunately, Windows loads the explorer.exe within the containing folder (the network share) and executes it.
For further details, see ACROS' Binary Planting Goes EXE.