Thanks for the tip. Unfortunately, we're using Sophos, not Symantec,
and according to our admin guy, "Sophos doesn't do that." He checked
out the relevant registry keys, and they are still set to the
defaults... no evidence of script blocking.

We're going to escalate this to Microsoft. I just figured I'd post to
thank you (and see if you had any other ideas.