I think the issue is email that pulls linked resources from remote websites. An email might make it past your firewall/scanner, but then request a malicious file from a remote server when the user opens it, or when it appears in a preview pane. Of course, this can happen with regular webpages as well, though you can control what websites you visit better than what spam appears in your inbox.
The ideal solution would be to maintain up to date protection on the machine, and turn off automatic loading of ActiveX scripts in the browser.
I have disabled HTML mail on our email readers. I have read where
malicious Java/ActiveX/or something can be embedded in the file. No one
has complained to me about this, but I'm wondering if I need to be so
paranoid. Is HTML mail a risk?
Bellows Free Academy
This email may contain information protected under the Family
Educational Rights and Privacy Act (FERPA) or the Health Insurance
Portability and Accountability Act (HIPAA). If this email contains
confidential and/or privileged health or student information and you
are not entitled to access such information under FERPA or HIPAA,
federal regulations require that you destroy this email without
reviewing it and you may not forward it to anyone.