This is not only a misfeature, this goes against one of the fundamental principles in informational security: in a data exchange between systems, don't mix the data with instructions on how to process it, or if somebody does it to you, never accept the instructions from untrusted sources. This is why Java applets are run in a sandbox, and why .rpm and .deb packages come signed. Against a CD-ROM in Windows, you have no protection, except what? Holding Shift down, uttering a prayer to God Allmighty? Gimme a break. I can "play" CD-ROMs myself, thank you very much!
Windows 2000, an allegedly stable and secure operating system, has a number of so-called security policies, with which I can disable things at my heart's desire. But why this "Autorun" abomination is not among these policies is beyond me. No,
it takes downloading the TweakUI add-on to be able to turn it off, and it's provocatively filed under the "Paranoia" tab.
OK, now you know I'm paranoid. Just as the next person with this disorder, I have my theory. Autorun is a pet feature of a senior Microsoft exec, and it is pushed by this person through every release, poo-pooing
warnings from security analysts. Or maybe they have a secret agenda to discourage use of "dubious" discs,
thereby suppressing piracy?
Anyway, now you can crash your computer with the new copy-perverted Celine Dion CD, without any effort! All you have to do is to put the CD in.