said by OZO :

Let's make it simple - there should be no way to automatically execute an application from any attached media without explicit user's consent (AutoRun functionality) and there should be no any exception. Period.

If you allow such execution - you facilitate compromising computers. Isn't that simple?

Now, with current implementation of this functionality in WXP SP2 there is no way to execute AutoRun automatically in case if you block it with NoDriveAutoRun or NoDriveTypeAutoRun registry values. But there are cases of deceptive executions that may be done by users. For example:
1) Go to Start|My Computer and click on drive with attached media. Instead of opening its content in explorer (as one may expect) - you execute a startup application immediately.
2) If autorun.inf file contains 'shell\..' instructions replacing Open and/or Explore menu item(s) in context menu for new drive - you may execute a startup application from context menu instead of opening or exploring content of the drive.
No any prompt or warning will be displayed to the user in such cases. It's dangerously wrong and must be fixed ASAP.

Solution should be simple - every time AutoRun instruction is about to be executed (in two cases described above) there should be a dialog box asking for explicit permission to do so. It's imperative that it should be done without any exception. Dialog box should display explicit name of a program that is asking for permission to run.

Please note: in this post I'm talking about particular AutoRun functionality, and not about AutoPlay functionality, which is different one.