Browsers tend to crap themselves if you try to actually install something. You might get away with a java applet installed but they are sandboxed really damned well so I doubt the avenue is applicable. Your best bet would be some sort of active evilgrade attack, but digital signatures can be a problem.
In terms of MiTM itself, the quietest ways are actually sslstrip and having a valid root certificate installed. I usually deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic.