Not so much don't download files with it, but more don't download and run .JAR files no matter what browser you're using. Ever. They're executables that should be treated as such by Windows security settings, just like they do with .exe and bat files that are downloaded. But JAR's are given a free pass for some stupid reason.
There are a couple of fixes that should be put into place regardless of what Google does with chrome. And I suspect they'll fix this one pretty quickly since it's egg on their face. First, Windows Explorer should treat .JAR's exactly like they do .EXE and .BAT files that are downloaded. They should pop up a warning. Second, JRE (the Java Runtime Engine) should be checking the Zone.Identifier for JAR files, which funny enough is correctly set by Chrome. Unlike a lot of other browsers.
That said, I did figure they were going to run into issues exactly like this when I read the beta release details. As you can see from the docs and even in the log file capture I did above they're using some of their own stuff along with stuff from Apple's WebKit and Safari, as well as some stuff from Mozilla. That's problematic as a starting point, because it means one has to track bugs in multiple applications to see if they could affect Chrome. Oh well, I'm sure they'll get on the ball with these security bugs in a hurry since improved security is a major part of their releasing Chrome in the first place. And it is Beta after all, so I don't think anyone can expect perfection straight out of the gates. That's unrealistic.
On a completely unrelated front, has anybody had a chance yet to view either the SSL or Malware warning pages Chrome produces yet? I had a few minutes to play this afternoon so went to see what each was like. If anything, Chrome's warnings are even more ominous than IE's SSL warning they put out there with ver. 7. I rather like the red background to give that ominous effect more punch.
Screen caps are below, with the site info redacted. The SSL warning is one where the site allows https connections to a non-www address but the cert is for the www version of the address. Something everybody should be watching out for if they run a secure e-comm store.