During the last couple of days I have been testing several attack vectors to circumvent the browser security sandbox also known as "the same origin policy". There is a lot involved into this subject and I will present my notes very soon.
As you can see, publicly available anonymizing proxies can be used to fetch remote pages. This technique will work quite successfully on Internet resources but not on Intranet. The reason for this is obvious.
The requests made are anonymous since they are proxied. This may amplify or reduce the risk depending on the situation. However an anonymous self-propagating worm can be in theory - possible.