[logfromblammo]

I'm going to agree with you there. The browser environment you set up for your non-technical friends and acquaintances should include a script and flash blocker that supports both whitelisting and blacklisting.

You simply shouldn't allow a script to run on your device without some amount of trust in the site that gave it to you or a thorough code inspection by multiple experts. Even then, it still might have a hidden exploit.

Because of this, there ought to at least be a landing page for script-blockers with a bit of explanation as to why they can't make use of the site without allowing scripts.

I am firmly of the opinion that scripts should strictly be an optional addition solely for the purpose of improving the user experience of visitors. HTTP 1.1 is good enough that about the only thing you do actually need scripts for is persistent and/or two-way communication channels. Almost everything else can be accomplished on the server side with a stripped-down user interface (as one might use with screen readers, text browsers, or even SMS or WAP on feature phones).