I couldn't be bothered to read the whole thread, but for the first two questions...
1. You can use DHTML which would look something like the following. Hopefully it is self explanatory; you need to create two styles ... <img onmouseover="this.classname='one';" onmouseout="this.classname='two';" class="two" />
2. Because your questions are fairly basic, I assume you haven't yet got onto server-side scripting. Why do you want a login? An unprofessional password solution that works without server side checking goes something like the following. This code may not work because it's late in the evening and I am actually sleeping
<form action="http://mywebsite.com">
Enter password:
<input name="password" type="text">
<input value="Go" type="submit" onclick="document.forms[0].action+=document.forms[0].password.value+'.html';">
</form>
... so it tries to open a page with the name of your password. Enter the wrong password and get a 404 error. You could use a frame to catch the 404 and bounce them back, add username in the same way, hide the secret page in your site index, and tell search robots not to read it. Pretty cheap trick, but it has some novelty value and it's actually more secure than some server-side solutions
***
Javascript is almost always enabled. It is much more common to find Macromedia Flash disabled (or missing) than it is to find Javascript switched off, and many commercial sites (and adverts) use Flash! If the professionals can't be bothered to target all browsers then why should you? Also, Flash itself supports embedded Javascript so at the end of the day, Javascript is the very last thing that is ever disabled in a browser.
Javascript is harmless: It has no means of writing to the local machine. The worst thing it can do is enter an infinite loop (bad scripting) but MSIE will ussually notice before it crashes and prompt you with "a script on this page is causing your system to slow down, do you want to exit the script?" ... or the script might cause lots of problematic popups, but FireFox (or Netscape) can block those. There are third party utilities (i.e. Webwasher.com) that will remove popups from pages displayed in other browsers. Javascript DOM can do some visuals that trick some people into doing stupid things but the risks are small.
Java is something completely different and you should not confuse it with Javascript. Several Java implementations are packed with security problems and Java scripts (two words: scripts containing Java, not Javascript) commonly harbour malicious code. It is much more common that Java support is disabled (or missing) but nobody has suggested using that evil
I suspect Chieftess has confused Java with Javascript, because the stealthiest thing Javascript can do is silly stuff like the following. When you hover over the link, the browser status bar displays a safe URL, but when your mouse button depresses that URL changes. Scarey huh? *I'm quaking in my boots*
<a href="http://somewheresafe.com" onmousedown="this.href='http://somewherenaughty.com';">Visit my website</a>
****
Javascript is a programming language; actually, it's core is ECMAscript 262 but nobody cares about that.
Like most programming languages, Javascript is implemented in many different places. Each implementation has the same core, meaning the same syntax but implementations vary in other respects. The implementation in MSIE (called JScript) is very slightly different. I already mentioned that it is implemented in Macromedia Flash. It is also implemented in the Windows Scripting Host (WScript) where it has different features.
WScript can do quite a lot on a local machine, like launch executables. However, WScript objects are not supported in MSIE and vice versa. There is little risk of scripts crossing from one environment to the other...
If I were to explore the possibilities, I might have a WScript in a webpage: It would fail to do anything, but any browser would store the file in it's cache anyway... then I might have instructions on the webpage telling the user to look through their browser cache and open the file called *.js and the WScript would be launched locally and do something malicious. Having said that, disabled JavaScript support would not change anything because I can still use <img src="*.js"> with the exact same result. I could do the same with <img src="*.exe"> ... Do you think anyone would actually follow the instructions and open that file?
