If the user selects a file via <input type="file">, you can read and process that file using the File API.
Reading or writing arbitrary files is not allowed by design. It’s a violation of the sandbox. From Wikipedia -> Javascript -> Security:
JavaScript and the DOM provide the
potential for malicious authors to
deliver scripts to run on a client
computer via the web. Browser authors
contain this risk using two
restrictions. First, scripts run in a
sandbox in which they can only perform
web-related actions, not
general-purpose programming tasks like
creating files.
2016 UPDATE: Accessing the filesystem directly is possible via the Filesystem API, which is only supported by Chrome and Opera and may end up not being implemented by other browsers (with the exception of Edge). For details see Kevin’s answer.