These actions are generally run in a browser’s so-called “sandbox”. A sandbox is a standard component of browsers or plug-ins serving to reduce the risk potential on the Internet. In the process, unknown scripts are provided with a contained area where they can be run safely (i.e. they only have limited access, for instance to a local hard drive).
If a browser or plug-in has a vulnerability though, such scripts can access user devices directly. It is therefore possible for malware go get from the web server to the browser and then onto a user device via such a vulnerability, without any conscious action by a user.
Protection provided by script language deactivation?
There are no really effective protective measures against drive-by downloads to date. To increase security further, you can deactivate script languages. However, this is not really a solution feasible in practice, since 95% of all websites rely on the technologies mentioned above, so that a large number of websites can no longer be displayed properly this way.