Why are you trying to do this exactly? It sounds inherently dangerous, since IP addresses can be spoofed. I hope you have some sort of secondary security system in place, since IP spoofing is the first thing I'd try if I were going to mess with a site.
The thing is, the HTML he is producing executes /usr/bin/ (i assume on his platform it opens a file explorer) from the local machine (ie the machine that is running the browser). There is no security risk.