So basically send someone a zip file with a DLL + readme.txt. Most people would avoid the DLL but not think twice about opening the readme. Sounds nasty.
It depends upon the DLLs that the default application uses to show the .txt file to the user: the application has to try to install a DLL that is not in the usual places (i.e., system & windows directories and the application directories). So there is likely to be some speculative DLL lookup going on for apparently well-behaving code to be vulnerable to this.
From the description of the vulnerability, it sounds as if the culprit is some code mounting documents over the network, and so just opening a readme.txt in the local directory will not trigger this.
From the "Mitigating Factors" section of CVE-2011-1991:
"For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application."
Since a ZIP file would extract to a local directory, nothing would happen.
If you extracted the TXT+DLL locally, then you'd be vulnerable, because the problem is that the TXT file is the current directory, and something (WordPad and Notepad, maybe, or Explorer itself) is searching for a DLL that doesn't exist elsewhere on the system, and one of the places searched is the current directory.
All the stuff about WebDav being necessary for a successful attack is because they're assuming someone can't drop a DLL onto your system. But if you unzip a package with a README.txt in the same folder as a DLL you would be vulnerable.
From the description of the vulnerability, it sounds as if the culprit is some code mounting documents over the network, and so just opening a readme.txt in the local directory will not trigger this.