and you (the browser user) will be prompted to allow access. (for Firefox you just need to do this once every time the browser is started)
If the browser user is someone else, they have to grant permission.
Only digitally signed scripts can elevate permissions, otherwise it is just denied (you get something like "A script from "http://darktower.eondream.com" was denied UniversalXPConnect privileges.")
I haven't looked into this on IE yet. I wouldn't be terribly surprised to find a similar situation where only digitally signed code can elevate privileges.
Here is the firefox page about digitally signed scripts: http://www.mozilla.org/projects/security/components/signed-scripts.html
You need not digitally sign the script, if the user enables signed.applets.codebase_principal_support (In about:config set the value to true)
This is explained in the same page under the heading Codebase Principals
page revision: 2, last edited: 29 Oct 2010 02:30