Guess what your doctor does to look at your X-rays: The chance is high that he'll just execute the .exe file on the CD-Rom too. I've witnessed that already multiple times and always cringe, because of the obvious security implications. It'd be so straight-forward to compromise a doctors office by handing them over a different CD-Rom with malware instead.
The one I worked for also included a viewer on discs burned for distribution (typic'ly to patients, but could go elsewhere if patient signed the right document), but we used a couple different viewers internally. If we received a disc, that DICOM data was imported using our viewers, never whatever was provided on the disc. Local network traffic was…closely monitored.
Occasionally, a remote doctor (not from our office) would call for help with the viewer we provided on disc. Usually, because some advanced feature they could have used at their office didn't exist in the patient viewer, or worked differently.
Normally, instead of discs, we just transceived images via PACS, or accepted physical films to be scanned into our PACS.
