I've posted a two-part FAQ addressing security considerations for apps that host MSHTML.  Check it out over at the SRD blog!

The MSHTML Host Security FAQ: Part I of II
The MSHTML Host Security FAQ: Part II of II