Re: The Web should be for content, not code
The problem here is not the browser or downloadable code, merely that in the given case the malicious file is opened automatically in the browser. The attack could perfectly possibly also be triggered by saving the download and opening the bogus PDF manually. So if the browser is relevant at all, it's the hazard posed by browser helpers automatically opening files.
HTTP file download is very convenient, and restricting it to non-executables would be both hard and intrusive. What's needed here is to exercise caution when browsing the web as by now we should all know that a lot of what's presented is not to be trusted.