Well, apparently it seems that your aim here is to win the debate.
Tell your friend to find a piece of malware. Rename it to any of the extensions excluded by the Standard Shield. Now write two files: 1) an autorun.inf file, pointing to a batch file
[autorun]
open=insert_name_here.bat
and 2) the batch file itself, which uses the "start" command to launch the malware, which had been previously renamed.
Next tell him to copy the 3 files (the inf and bat file, and the malware) to a USB drive. And, assuming you have autorun enabled on your computer, plug the USB drive into your computer.
I don't know of any malicious drive-by downloads which use this method yet, so you'll have to do it by USB. Theoretically, though, I don't see what's stopping a malicious website from similarly downloading an .exe renamed to .tmp or .ini or something similar, then using cmd.exe to invoke it.
Go ahead. Give it a try. I'm looking to answers to questions here, so hopefully this will keep you busy and away for a while.