The Professional version of avast! has so called “Script blocker” - that scans the scripts (JavaScript/VBScript) executed within the web browser (and denies access if they’re found infected).

Yes, it’s possible that in some cases (e.g. when your IE doesn’t have the necessary security updates applied) a malicious content of a HTML file is executed before written to disk (in fact, I think the cache items are written to disk independently on their execution - but I may be wrong). An example of such a behavior is the VBS:RedLof virus.

As for the web-mails… I’d guess they’re just a simple web browsers, but I may easily be wrong - don’t know anything about them.