I've checked and Outlook does indeed use OLE technology to show html content so preview will downoad the virus to your system.

Looks like another incarnation of the ActiveX security bugs which allow automatic execution of automiaticall downloaded code.

I think theres a registry setting which allows you to turn this off (safe_for_scripting rings a bell) but until I look it up you'd be better off disabling preview in Outlook else you could accidentally preview it, especially if you have multiple copies of the email on your system.

True enough that Norton etc scans emails but there are so many ways around this feature, which are built into the script kiddie tools, that I wouldn't rely on it.