If you don't want to heavy a webserver, perhaps you could be like webmin and run a baby perl webserver inside your app? Then it would also work for all browsers and not just IE. Webmin does SSL, and you can also do neat things like only accepting connections over the local host. Yes, I just mentioned a Linux app -- I know -- but it's Perl, and it is an example of a baby web server.

Not to be misinterpreted, but what your are proposing is not only IE centric but rather hackish and non-standard. If it happens to work, it may not work in the future with different versions of IE -- and it's just weird. I would install a baby pure-perl deamon as a service -- and code your app so it works with all browsers, not just IE. And you can also use SQL, etc -- it's CGI, that's a well (or at least better) defined idiom for writing software.

Update -- some other monks have suggested the micro-server and localhost, good for them. I want to add, dragon', that security holes are invented by programmers, not network sockets or the programmers who use them. Write solid code, and code it wisely, and your system will remain safe. If this means localhost only, that's the way to go. For network apps, Perl is not a security hole either -- it's bad usage of Perl. However, as a converse, I would stipulate that IIS is a security hole, rather than bad usage of IIS :)