First, Adobe Flash Player runs as an integrated program inside IE10, on both the Metro and Desktop sides of the fence; we're promised Flash Player will work on ARM-based Windows RT machines as well. If you use Internet Explorer 10 on the Desktop side of Windows 8, any site with embedded Flash animations should work. If you use Metro IE10, the site with embedded Flash must appear on a white list before IE allows Flash Player to run. Microsoft's Internet Explorer Compatibility View list currently contains 417 sites deemed safe enough for Metro IE10's Flash Player.
If you go to a Flash site in Metro IE10 not on the white list, you may or may not know there's a Flash animation on the site -- most sites revert to a static image if they detect that your browser can't see the Flash, and Metro IE doesn't say a thing. I found that very confusing at times: I expected Metro IE10 to put up a notification saying something like "Flash required to see all of this site," but there's no warning at all.
It'll get even more confusing when people head to sites with ActiveX controls. ActiveX runs on Desktop IE10. ActiveX controls don't run at all on Metro IE10 -- and at least in the sixth platform preview, Metro IE10 doesn't tell you it's encountered nonfunctional ActiveX controls. In Metro IE10, if you guess that you need an ActiveX control to properly view the page, you can tap or click the wrench icon in the Navigation Bar at the bottom of the screen, and choose "View on the Desktop." That takes you to the other IE10, which should be able to handle the ActiveX control.
You might think an embedded Flash Player would put the monkey on Microsoft's back to keep Flash patched and safe, but that isn't the case. According to Adobe evangelist and Flash development guru Mike Chambers, "[S]imilar to how Flash Player is distributed with Google Chrome, Adobe does all of the player development, and then shares the player with Microsoft to distribute via its update mechanism. Microsoft doesn't have access to the Flash Player source code."
Second, IE10 implements Do Not Track by default. Right now, Do Not Track (DNT to its friends) has no teeth: It's a privacy poster boy, and not much more. With some luck that will change. DNT is a simple flag in the header sent to every website you go to that says, "Please don't track me." It's up to the site to refrain from all tracking behavior, presumably including IP logging and dishing up both first- and third-party cookies. I say "presumably" because there's still no standard for DNT, although the U.S. Federal Trade Commission has been asking for it since December 2010 (PDF).
Mozilla invented the DNT approach, and Firefox and Safari both implement it. (To turn on DNT in Firefox, click the Firefox button, Options, Options, Privacy, check the box "Tell Web Sites I Do Not Want to Be Tracked.") IE9 has a DNT implementation, but enabling it is extraordinarily convoluted, even by Microsoft standards. Google is on record as saying it will implement DNT in a future version of Chrome.
On the one hand, making DNT the default is rightfully going to be viewed as a bold pro-privacy step for Microsoft. On the other hand, it's a shot fired across archrival Google's bow. On the third hand, the World Wide Web Consortium group that's working on DNT has been thrown into a hissing contest, with advertisers and browser designers slinging a dozen different points of view about how browsers should offer DNT to their users, how websites should treat DNT requests, and whether there's enough consensus to be able to implement anything meaningful, this year or this decade.